Platform for facilitating an automated it audit

ABSTRACT

A platform for facilitating an automated IT audit. The platform may have a frontend allowing users to access the platform, a backend configured to perform processing, and a data collection system equipped to interface with connectors. The backend may include at least one server equipped to send, receive, store, and process data; a testing and analyzing system that may make use of algorithms, machine learning, and artificial intelligence in order to test and analyze the collected data against pre-configured best practice standards and policies, and a reporting system that may be configured to transmit the tested and analyzed data to the frontend. The backend system may be configured to opine on the data and generate specific recommendations about future developments of an auditee&#39;s IT infrastructure, allowing an audit to be completed automatically from start to finish by the use of the software, eliminating the need for human intervention.

COPYRIGHT NOTICE

A portion of the disclosure of this patent document contains materialwhich is subject to copyright protection. The copyright owner has noobjection to the facsimile reproduction by anyone of the patent documentor the patent disclosure, as it appears in the Patent and TrademarkOffice patent file or records, but otherwise reserves all copyrightrights whatsoever.

BACKGROUND

Information technology (IT) audits, sometimes also called informationsystems (IS) audits, are processes by which an organization'sinformation technology infrastructure, policies, and operations areexamined and evaluated. Such audits specifically examine the managementcontrols within an information technology infrastructure, in order todetermine if the information systems are meeting all necessaryobjectives for an information technology system, such as safeguardingassets, maintaining data integrity, and operating effectively to achievethe organization's goals or objectives. (In many cases, such audits maybe performed in conjunction with audits of other systems, such as afinancial audit or internal audit.)

Audit procedures, in general, are designed to ensure that a business orother organization complies with certain quality standards. This canhelp ensure that problems with the existing procedures of the businessor the other organization are found and can be corrected. Ensuring thatthe business complies with such procedures can also ensure that thebusiness is protected from legal trouble, in cases where the standardsin question are laws or administrative guidelines. Finally, it can alsoensure that the business is easy to expand (or is easy to incorporateinto another business if purchased), since the business's existingprocedures are likely to be somewhat similar to those of otherbusinesses and somewhat familiar to many of the new hires. This can helpto attract investment.

However, strict adherence to a single comprehensive standard is oftenwasteful and not useful for all organizations that might be subject tothe audit. Imposing strict uniform compliance requirements can likewisecause the organization to seek to meet the letter of the requirementsrather than its spirit, defeating much of the purpose of the standardand impairing efficiency. As such, it may in some cases be preferable tomeasure a level of standards compliance based on a percentage of thestandard with which the organization in question complies (such as, forexample, 70% compliance) or structuring the standard to provide certain“levels” of compliance, which the business or other organization canchoose to pursue. (For example, there may be a “bronze,” “silver,” and“gold” level of compliance, each one indicating that the business meetscertain further or more stringent requirements.)

To give an example of how this may work in practice, the popular andwell-known ISO 9001 certification standard (for quality management) hasbeen criticized since its inception as imposing an inordinate and oftenunnecessary paperwork burden, which has significant costs in both moneyand time, with many of its features being inapplicable to manybusinesses or even being driven by fads. An examination of the level ofquality standard integration of the 2000 ISO 9000 standard (ISO9000:2000) by Robert Sroufe and Sime Curkovic, entitled “An examinationof ISO 9000:2000 and supply chain quality assurance” and published inthe Journal of Operations Management (Volume 26, Issue 4, July 2008, pp.503-520) noted that, up until that point, the relevant literature hadbeen clearly divided as to its assessment of ISO 9000:2000, with aroundhalf of sourced articles indicating that it was “another paper-drivenprocess that increases risk, uncertainty, and costs.” This is a problem,since the certification procedure is strongly preferred (or evenrequired) by many industry sectors and many clients, as an indicationthat the business is performing according to proper quality standards.Failure to comply with at least some level of the standard may be takenas an indication that the business cannot meet other contractualrequirements, and may mean that the business loses significant amountsof revenue or even that it is unable to compete. One consequence of thishas been that the bare-minimum documentation standards for a “minimumscope organization” audited under the ISO 9001 standard certificationprocedure have been trending downward since the early 2000s, with ISO9001:2000 having the strictest documentation requirements, ISO 9001:2008having looser minimum requirements, and ISO 9001:2015 having the loosestminimum requirements yet. This ensures that businesses can seek ISO 9001certification (now required by certain sectors and certain clients)without imposing standards and processes that do not make sense for itor which do not make sense for certain areas of the business (such ascertain departments, certain plants, and the like). Successor standardsdrafted based on the ISO 9000 experience, such as the ISO/IEC 27000standards for information security, have likewise generally beenformulated to be deliberately broad and unrestrictive in scope.

The need to juggle the requirements of the standard and the needs of thebusiness (which may not be served by meeting that standard, or may bebest served by meeting the requirements of the standard at a differentlevel) has meant that standards compliance has become a hotbed forskilled consultants. Continuing with the ISO 9001 example, the need forbusinesses to get certification under this standard has been one of theprimary vehicles for increasing consulting services. While quality ingeneral has a positive effect on return on investment, market share,sales growth, better sales margins, and competitive advantage, this doesnot necessarily stem from strict adherence to the letter of the ISO 9001standards, and a great deal of criticism of the standard has been to theeffect that it misleads companies into thinking that certificationentitles them to have better quality, undermining the need for thebusiness to devise and keep to reasonable quality standards that makesense for their operation.

Similar issues are reflected in IT auditing, under the ISO 27000standards and otherwise. The exact procedures that may be followed by anIT audit often depend on the nature and organization of theorganization's IT infrastructure, policies, and operations, and, assuch, it generally requires significant amounts of expertise andexperience in order to determine proper recommendations and appropriatelevels of standards compliance for a particular business ororganization. This has meant that most IT audit services are notautomated, and heretofore could not be automated (because of the highlyqualitative nature of much of the audit process) which in turn meansthat they are time-consuming and labor intensive, and consequentlyexpensive to carry out.

Discussing IT auditing generally, the primary function of an IT audit isgenerally to evaluate the systems that are in place for the purpose ofsafeguarding an organization's information. The audit, then, aims toevaluate the organization's ability to protect its information assetsand to properly dispense information to authorized parties. Some sampleconsiderations include the availability of the organization's systems(e.g. whether the systems will be available to properly dispenseinformation at all times when required), the security andconfidentiality inherent to use of the systems (e.g. whether the systemscan properly identify authorized users and ensure that information isproperly dispensed to them and only to them), the data integrity of thesystem (e.g. whether the information yielded by the system is generallyaccurate, reliable, and timely), and any other risks that may apply tocertain specific systems. (For example, in certain fields likehealthcare, there may be a greater need to comply with patientconfidentiality laws, and the audit may require a certain amount oflegal analysis in order to determine whether those laws are properlybeing complied with. In other fields, like defense, the threat profileof the business or other organization may be different. For certainbusinesses, like government contractors that work in both the healthcareand defense fields, each consideration may apply to certain componentsof their IT infrastructure but may not apply to other components oftheir IT infrastructure, which must be properly determined by theconsultant.) Equally, there is a requirement to have standards in placefor smaller unregulated entities which are as important as downtime,security breaches etc. can be as business crippling to them as a largerregulated entity. (In fact, often, such occurrences can be even morecrippling to a smaller unregulated entity, since small entities oftenrely more heavily on the Internet than larger firms, rather than onwell-developed distribution chains or pre-existing relationships withother entities. A smaller firm that does all of its business online willbe relatively more badly hurt by downtime, and a smaller firm without anestablished reputation may find its business more damaged by a securitybreach.) As such, all businesses can benefit greatly from such standardsimplementation, though may need to prioritize different aspects; therelative impact of the standards process and of not implementing a partof the standards process each need to be considered for each business.This adds a significant amount of complexity.

Different IT audits may be applicable to different systems, or may berequested by different businesses, further complicating matters. Varioustaxonomies have been created to encompass these sets of audits, based onthe intended purpose or based on the intended system under examination.For example, when auditing for a particular purpose, an audit might beconducted as a “technological innovation process audit,” in which theaudit involves constructing a risk profile for all of the projects (oldand new) that the business or other organization has been conducting, ormight be conducted as an “innovative comparison audit,” in which theaudit involves analyzing the innovative abilities of the company beingaudited in comparison to its competitors. (These generally involveanalysis of a company's research facilities and related ITinfrastructure). An audit may also be conducted as a “technologicalposition audit,” whereby the technologies that the business has alreadyadopted are reviewed so that gaps can be identified and the business candetermine what needs to be added. In another standard taxonomy, ITaudits may be classified based on what systems are undergoingexamination; one standard five-way or “general controls” audit looksspecifically at systems and applications (which may entail determiningwhether systems are appropriate, efficient, and adequately controlled),information processing facilities (which may entail analyzing thosefacilities under both normal and potentially disruptive conditions),systems development (which may entail determining whether the systemscurrently under development or in the process of implementation meet theobjectives of the organization and meet all other requirements for newsoftware), management (which may entail determining whether IT personnelhave developed an efficient and effective organizational structure), andtelecommunications (which may entail ensuring that telecommunicationscontrols are present on every essential device on a network, from theclient to the server and including any intervening stages). Othertaxonomies may separate IT audits into “general control review” and“application control review” audits. In many cases, different auditswithin the taxonomy may have to be conducted by different experts ordifferent firms, depending on the type of expertise that is necessary.

Audits can also be divided into “internal” and “external” audits.Internal audits are conducted by the personnel of the organization,often by dedicated corporate internal auditors. (An informationtechnology audit may overlap with other types of audits, such as afinancial audit.) An external auditor may then be contracted to reviewthe filings of the internal audit, and conduct their own independentreview.

Traditionally, IT audit services for an external audit are set-out in anengagement letter which is often secured through a proposal or tenderingprocess. (Similar letters are often provided in internal audits toprovide notice and scope of the upcoming audit, with external auditletters often being more complex and further including topics like legalliability.) The resources of the external auditor, such as staff, maythen be used to manually gather data. In traditional audits, theperformance of collection of data is almost always an onsite processwith all resources located at the organization being audited. This meansthat auditing resources may be required at multiple locations, ordeployed in series to sufficiently cover the sites of operations.

The external auditor may then conduct a verification process, usuallycollecting as much data as possible directly from the source withouthuman interference, thus decreasing the verification process needed toensure that data is complete, accurate, and valid. This involves thesteps of inquiry (e.g. asking appropriate management personnel or otherorganizational staff about procedures), inspection (e.g. determinationwhether those procedures are actually being performed), observation(e.g. determination of what procedures occur in the absence ofdocumentation), and re-performance (e.g. having the auditor perform aparticular control in the absence of evidence that it is operatingeffectively, for final verification). When it comes to reporting thefindings, these are manually captured and aggregated into a document anddistributed via email. Should any remediation be required, it isnecessary to perform a follow-up audit. An example audit process isdepicted in prior art FIG. 11.

As discussed above, certain systems that businesses or otherorganizations may be operating can significantly complicate analysis.For example, further challenges and problems arise with larger groupswhich are made up of multiple entities with a high number of employees,covering a range of industries, located on a number of different sites,with a large number of domains and using different IT systems. There isoften no common infrastructure and no baseline standards, and the ITenvironments or landscapes vary in size, complexity, posture andmaturity. There are also limitations with regards to budget, scalabilityand capacity of the IT assurance function, meaning that the complexityof the system often exceeds the capacity of the auditor to perform theaudit. Due to the costs and limitations of manual review, the auditoroften must perform a risk-based auditing approach, effectively a“good-enough” approach, that might determine whether the system has metcertain minimum standards or that might determine that particularlycritical systems are compliant, without analyzing the system forcompliance with other requirements or analyzing less apparently criticalsystems. This can mean that major, unexpected security holes can bemissed in their entirety by an auditor who would have caught them ifthey were in a more critical-appearing system. With the introduction andadoption of progressive technologies like cloud, “internet of things”devices (TOT), and big data being introduced into the IT environment,auditors not only have to stay abreast of these progressivetechnologies, they need to understand the associated risks and how toaudit them.

Some software has been created to facilitate the audit process andassist auditors. Many of the software tools presently on the market havesimilar capabilities to one another, and are generally limited inapplicability to specialized, isolated areas within an IT audit. Adiscussion of a selection of them for demonstrative purposes follows.

CELONIS is a process auditing and visualization software, which may beused to analyze and visualize certain processes in a company. Itssolutions analyze procurement, human resource, information technologyservice management, logistics, production, accounting, sales, audit, andother branch specific processes through on-premise installation orsoftware-as-a-service implementation aspects. For example, CELONISoffers certain tools for IT systems that can be used to visualize whatis driving the majority of IT tickets, and can be used to help determinewhere solution times and First Level Support can be optimized andaccelerated. It also can be used to help analyze ticket wait times, orthe wait times of certain tickets, in order to determine wherecomplexities or confusion complicate certain matters, causetime-consuming ticket “ping-pong,” or even cause outright circumventionof the ticket system. Having this data available can help personnel beoptimized in an IT department.

While CELONIS can automate certain aspects of data collection which maybe of interest to an IT auditor, CELONIS cannot automate an auditevaluation. As discussed, CELONIS is responsible for reconstructing andvisualizing processes, thereby detecting deficiencies automatically andanalyzing processing times and detecting bottlenecks. The inputs intoCELONIS are specifically focused on data from a database rather thaninputs in the form of scanned documents or unstructured data.

A similar system, KPMG SOFY, has similar shortcomings. This system is aprocess auditing software that is not IT audit focused (but which maysimilarly be used to assist IT audits) and involves a specific clientimplementation that is customized to the organizations' IT systems. Itprovides process insights, tax and data quality insights. It is also arisk management platform which also has access control monitoringcapabilities, which is, again, useful for IT audits. However, KPMG SOFYis similarly unavailable to develop its own data, similarly being unableto operate without data being provided from a database.

Other tools may be useful to an IT auditor for other purposes. Forexample, certain IT environment scanning and reporting software toolsmay be in common use.

One example is SPICEWORKS NETWORK MONITOR, a software suite focused onimproving the ability of IT professionals to discover, manage andmonitor the software and hardware assets in their networks. This toolhas features such as internet protocol (IP) scanning, remote support,inventory management and reporting, network monitoring, connectivitydashboard, and many others. Whilst these operational insights arecritical to proper IT management, and the tool can be used to facilitatecertain aspects of the audit such as the “re-performance” step, thistool is not configured to carry out IT audits on its own, and cannottake any proactive action in this regard. For example, the tool cannotbe used to provide an audit opinion of the environment against industryand best practice standards, based on the network traffic that it hascaptured, analyzed, or monitored.

Other IT environment scanning and reporting software, which are notaudit focused, include SPLUNK and ZABBIX.

SPLUNK is an analytics platform and security information and eventmanagement (SIEM) solution that offers some data collection mechanismsand various tools to analyze and display results. The SPLUNK system isspecifically intended for searching, monitoring, and analyzingmachine-generated “big data,” via a Web-style interface, which may beused in order to make this machine data more accessible across theorganization as a whole by identifying data patterns, providing metrics,diagnosing problems, and providing intelligence for business operations.This core SPLUNK package makes use of a standard API to connect directlyto certain applications and devices on a network.

SPLUNK has several additional offerings that may be integrated with thiscore package in order to provide additional functionality. For example,SPLUNK ENTERPRISE SECURITY software is used to provide the SIEMsolutions discussed earlier. This software detects and responds tointernal and external attacks on the IT environment, in a similarfashion to other security solutions. SPLUNK ENTERPRISE SECURITY thenoffers various analytics having to do with these security events, whichallow metrics like “risk modifiers” to be computed and tracked overtime. It simplifies threat management while minimizing risk andsafeguarding the business using it, allowing the business to identify,prioritize, and manage security events by providing event sequencing andalert management functionality, risk score calculation, and customizabledashboards and visualizations.

SPLUNK ENTERPRISE SECURITY, however, does not provide any ability tocollate its data with data from other security tools, such as OpenVAS,Nessus, MBSA, NMap, or others, which might be used as part of an audit.Likewise, the SPLUNK ENTERPRISE SECURITY system does not apply itsresults to audit standards in a manner that allows the results to beanalyzed based on whether the audit standards are met or not. Finally,while SPLUNK ENTERPRISE SECURITY provides some metrics regarding risksand recommendations, it does not provide these metrics in a manner thatcontextualizes them in the form of audit standards or compliance tostandards. This software is also not audit friendly.

SPLUNK QUICK START BUNDLES group applications and connectors from othercompanies or businesses into SPLUNK. This software, likewise, does notprovide audit or compliance reviews. This software can match results tocompliance standards, but is limited in how it can be applied.Specifically, it is limited to network and data sections, rather thanthe whole IT auditing standard suite. While this is useful, it stillmeans that SPLUNK does not provide end-to-end processing of an IT audit.

As such, even in view of all of the capabilities of the SPLUNK softwaresuite, there is still a need to bridge all of the disparate softwaresolutions in such a manner that the outputs of the software can beanalyzed and used as the basis for recommendations. The ability toautomate such processing would likely mean that this information can beprovided at a fraction of the cost of other existing software.

Another problem with existing systems such as SPLUNK that have“connectors” or otherwise interact with other information sources isthat, in almost all cases, such data collection is limited to“point-in-time” or “batch” collection, whereby information must bespecifically retrieved from the information source at a designated time,and all other processing must be put on hold until the processing iscompleted. This frustrates any attempt to use such software incontinuous operation.

ZABBIX is another network platform that collects data and provides itback to the user. Specifically, ZABBIX is an open-source monitoringsoftware tool that can incorporate a variety of diverse IT components,such as networks, servers, virtual machines, and cloud services. ZABBIXmay provide certain operational metrics for each of these devices, suchas network utilization, CPU load, disk space consumption, and others;ZABBIX also includes or supports other functionality like systemavailability monitoring and an audit log. However, a problem with ZABBIXis that ZABBIX is unable to translate the data that it collects in amanner that allows the data to be combined with documents and governancestructures in order to provide availability information (or otherinformation) useful to an IT audit of the IT environment.

Other existing software suites are broadly similar to the above at best,generally duplicating some or all of the features of the above software.As such, a general problem with the above software, and with all othersimilar software provided in the art, is that such software onlyprovides gathered data back to the users through interfaces and alerts.No software is able to collect all the data necessary for an audit onits own, or digest the results of multiple data sources such that thedata can be combined into an amalgamated form that serves as a singleview of the IT audit landscape, which can then be provided to ITauditors or others in order to allow them to better visualize the stateof the IT system of a business or organization and how it comports withapplicable standards. Neither do any of the systems provided in the artallow recommendations to be generated to an auditor or even for a userbased on the data gathered. Essentially, all that the existing softwaresystems typically do is to avail data for analysis by humans.

The existing platforms mentioned above require extensive productknowledge to implement. This can often mean that there are significantimplementation costs associated with integrating the tools into theenvironment of the organization. Subsequent training may be required inorder to derive maximum value from the tools and features.

Many of the similar products mentioned above have been built to functionwith a specified or limited number of systems. These aforementionedproducts will only report on results for that fit-for-purpose system andwill not consolidate outcomes from two or more applications in theenvironment. This will often result in the auditor needing to reviewoutcomes from multiple tools in order to cover the critical applicationsin the organization and provide a consolidated risk report that has tobe manually prepared.

In assessing the capabilities of existing platforms and designs for thesystem, there are a number of challenges that thus far have preventedadoption of a single-view of the audit procedure. One of thesechallenges is the legal ramifications of co-development between partieswho are generally in competition for business. A competitor may not wantto reveal the crown-jewels of their methodology through co-developmentand would want exclusivity for certain content and features. This isparticularly difficult to carve out of a single software application.The ability to ring-fence certain aspects and features is not supportedby any of the software discussed above. The requirement to shareintellectual property also creates a misalignment between the legalitiesand technicalities of working in a co-development relationship. A uniquesolution is thus required to provide an API gateway platform wheredevelopment can take place in isolation and can leverage off existing ofnew development in a collaborative manner.

The need to have the program function while some undetermined aspects ofit are kept in isolation from one another adds greatly to the technicalcomplexity. The scarcity of talent with the necessary skills andexpertise to build this solution means that significant capacityconstraints will exist in any development team. This adds to the factthat any given development team is going to lack subject matter expertsacross all the broad areas across which the audit is to be performed,requiring collaboration and co-development with consultation and insightfrom third-parties. Whereas such, not only must the system be developed,but the system must then be operable to allow the content andcontribution of a subject matter expert to be introduced into anecosystem of other contributions and where the usage or referrals forthe specific content is measurable, controlled, monitored and wherenecessary expanded upon.

The complexity of the problem also has meant that any attempt toresearch a solution would be hampered by extensive resource constraints.This sort of extensive resource injection is generally unfeasible formost development teams outside of those operated by large and profitablecompanies. While in some cases, like with open-source software, it hasbeen possible to heavily decentralize development and create projectsthat would otherwise have required an extensive development team withvarying skills, the nature of the project makes this approach inherentlytroublesome as well, since the project must be very carefully planned.For example, individual contributions may not be directly aligned withthe “ring fences” or may be reliant on content that may need to be “ringfenced” off.

Further business concerns would likewise complicate the process ofimplementing any solution. For example, it may be difficult toeffectively market and distribute a project that has been based on theefforts of a large number of voluntary contributors, and may bedifficult to continue to solicit such contributions and continuedevelopment once marketing and distribution has started. As such, manytechnical solutions would not be viable for business reasons as well astechnical reasons. A unique solution would therefore be required thatallowed for value to be derived by sales and marketing partners togetherwith contributors, in a mutually beneficial arrangement.

SUMMARY

According to an exemplary embodiment, an automated, novel and inventivesystem for implementing a platform for facilitating an IT audit may beprovided. Specifically, it may be contemplated that an exemplaryembodiment of the present system may provide an integrated and automatedsolution for an IT auditing system to provide an audit solution in amanner that does not require human effort or involvement, effectivelyallowing for digitization of an IT audit workforce, and which providesaudit-as-a-service and avails IT security assurance on any ITenvironment, irrespective of the size, complexity, posture or maturityof the IT environment.

An IT audit system may be a platform on which subject matter experts maycontribute their expertise to a shared pool of resources. Clients mayselect and choose their audits based on the available components on theplatform and customize the combination as appropriate. The presentsystem may provide a manner for organizations who lack specific subjectmatter experts or have a scarcity of inhouse IT audit and securityspecialists to purchase these services from the inventive system,thereby providing greater digital enablement of IT auditing strategies.

An exemplary embodiment of such a system may be configured to performnetwork scans and count devices and logs, and may further be configuredto perform IT audits against specific standards, analyze processmaturity, and analyze physical documents and written policies. Incertain exemplary embodiments, the system may be equipped to obtain datafrom various sources including tools such as some of those describedabove, interpret the logs and findings of these tools, and generaterecommendations based on those logs and findings, which may enableauditors and their stakeholders to understand context and risk withinthe standards that the results are measured against. According to anexemplary embodiment, the present system may integrate any of theabove-mentioned tools or other IT monitoring tools, but may beconfigured to be able to generate recommendations based on the datawhich is extracted from these tools as well as other data manuallysubmitted to the invention. In an exemplary embodiment, data may beaggregated, and recommendations may be generated, in a form directed atany potential viewer, such as a user, company, group of companies,client or customer.

This data obtained from software tools such as are described above,along with other process and physical data, may be used by an exemplaryembodiment of a platform such as is contemplated herein in order toaudit the IT environment automatically against IT auditing standards. Asdiscussed, existing tools only provide gathered data back to the usersthrough interfaces and alerts, without providing any ability toincorporate data from a variety of sources such that multiple sourcescan be amalgamated into a single-view of the audit landscape, and suchthat recommendations regarding standards compliance can be drawn fromthis single view. The presently contemplated platform thus may providean always-on audit, compliance and monitoring system and method.

It is noted that, while it is contemplated that exemplary embodimentsdescribed herein provide a platform that may be useful in performing orassisting an IT audit, similar platforms or even a combined platform mayalso be used to perform audits over other processes such as financialcontrols, supplement the efforts of a manual auditor, or may be used toautomatically perform only a limited part of an IT audit according tothe taxonomies listed previously. For example, an “IT audit” mayencompass a variety of IT audit reviews, such as IT general controls,cybersecurity hygiene, software licensing, and other IT audit reviews.An exemplary embodiment of a platform may function to perform any or allof these, such as just the general controls review, just thecybersecurity hygiene review, and so forth, and may then amalgamate itsresults with the results of a manual review. (The platform may alsoperform automatic review in circumstances where a manual review has beenperformed, and amalgamate both sets of results.) The platform may thengenerate recommendations based on the amalgamated data.

In a first exemplary embodiment, there may be provided a system forfacilitating an automated IT audit, which as discussed may be centeredaround a platform configured to facilitate the automated IT audit. Thisplatform may include a frontend configured to allow one or more users toaccess and manage the platform; a network connecting the frontend to abackend; and a data collection system configured to gather data from oneor more sources in an IT environment to be used for the IT audit. Thebackend may include at least one server configured to send, receive,store and process data, and may also include a testing and analyzingsystem which may include appropriate algorithms, machine learning andartificial intelligence, with this testing and analyzing systemconfigured to test and analyze the data gathered by the collectionsystem against pre-configured best practice standards and/or policies.The platform may further include a reporting component, which may beconfigured to transmit the tested and analyzed data to the frontend,wherein this data may be presented on the frontend for the one or moreusers to access and manage or interrogate.

A variety of users and user types may be contemplated, such as one ormore administrators. An administrator may be a user provided withspecial permissions to access, manage and monitor the platform in amanner not permitted to regular users. Various forms of administratormay be contemplated. For example, in an exemplary embodiment, anadministrator may be an authorized user of one of an authorized group ofcompanies. The platform may include a portal which allows for managementof the platform by the administrator. In an exemplary embodiment,administrator rights may be restricted to one user, or a small number ofusers, within the company, with “users” encompassing theadministrator(s) and other employees of the one or more companies. Itmay further be contemplated that, while exemplary embodiments of theplatform may be tailored to particular users or sets of users, orparticular organizations or sets of organizations, the platform may notbe limited to corporate applications, and may be used by all otherentities, optionally with additional functionality or differentfunctionality based on the nature of the organization. The platform mayalso be operated by a subcomponent of an organization, withoutequivalent rights being shared by the organization as a whole. As such,where reference is made to a company, the term company should beconsidered to include entities including businesses, divisions,departments, or the like, which may form part of a larger group thereof.In certain cases, it may also be contemplated to have rights be sharedbetween organizations, such that, for example, a platform is managed byan administrator employed by a government organization and anadministrator at a government contractor retained by the governmentorganization to develop their IT infrastructure.

According to an exemplary embodiment, the platform may be used toprovide an IT audit, or certain IT audit services, in a manner thatallows the IT audit to be initiated from an online marketplace. In anexemplary embodiment, the platform may have remote access functionalitythat allows a client to install platform software in particularlocations, upload necessary physical documents so as to make themaccessible to the platform, and then have the platform initiate the ITaudit. The platform may also be configured to track its usage accordingto a billing algorithm, such that a client is billed for particularservices, for the amount of time or other resources spent on performingthe selected services (for example, server time of the auditorbusiness), or may otherwise provide flexible and tailored purchasing andbilling options.

In an exemplary embodiment, the platform may be modular and scalable,such that the platform may be tailored to suit the needs and/orrequirements of a company, a group of companies, and users. For example,according to an exemplary embodiment, the audit services provided by theplatform may be provided in the form of modules, skills or controls,with the client subscribing to particular modules, skills or controlsbased on need. This allows for clients to customize their auditrequirements and use of the platform with minimal impact to theirenvironment as components can be purchased on an as-needed basis andgrouped together in a unique configuration for the client.

In an exemplary embodiment, the modules used may be tailored based onthe risk profile of a company, or of the group of companies. In such anexemplary embodiment, the group of companies may correspond to, forexample, companies in a particular industry segment (which may faceattacks from similar threats or types of threats, such as industrialespionage attempts in a R&D-heavy industry segment), companies in aparticular geographical area (which may, for example, face particularlysophisticated social engineering attacks from a skilled criminal elementin the area), companies in a particular climate or which are operatingon certain infrastructure (it may, for example, be contemplated toanalyze factors like a likelihood of natural disasters like hurricanes,or an “availability factor” of the local power infrastructure, as partof an availability analysis), or any other such grouping of companiessuch as may be desired.

Some exemplary embodiments of modules that may be included or whichotherwise may be available are as follows. A first exemplary module maybe a module for IT audit review, which may be equipped to perform everyelement of an IT audit review and which may potentially be combinablewith other audit modules, including non-IT audit modules (such asfinancial audit modules), if desired. Another exemplary module may be anaudit readiness review module, which may be run initially in order topopulate an audit readiness checklist for the company's ITinfrastructure (or any other infrastructure such as may be desired) andprovide the result to the company in order to allow them to betterprepare for an audit, by, for example, telling the company what needs tobe done and how long it is likely to take. Another exemplary module maybe used to analyze particular software or hardware, and may, forexample, provide patch management review and vulnerability scanning, ornetwork inventory review of hardware and software. Another exemplarymodule may be used to analyze the security of systems that the companyis dependent on, such as the controller of the company's Web domain, andmay, for example, conduct a domain controller security review. Anotherexemplary module may be a security hardening review module, which may beequipped to test the hardening of the company's IT infrastructureagainst attacks.

A further module may include a license optimization review module orother software asset management module, which may determine whichsoftware may be preferable for a company to use, or which licenses tothat software may be preferable, based on the company's actual needs.(This may include, for example, an evaluation of the company's softwareusage as well as an evaluation of the company's requirements forsoftware license terms. Part of this analysis may include, for example,an evaluation of which software is installed on which machines, whetherthe software functions as stand-alone software that can be licensedseparately or whether it must be licensed as part of a software suite,who uses the machines and what their requirements are, how the machineis configured, and what dependencies the machine has on other devicesand what requirements it has for inputs/outputs, and comparison of allof these attributes to the company's actual license in order todetermine whether the company has a license that accurately reflects itsneeds. For example, it may be determined that the company has severalindependent licenses to the same software, maintained by differentdepartments, which could be consolidated into a cheaper overall license.Or, it may be determined that a software license that allows for thirtysimultaneous users is never actually used by more than two at a time,allowing the scope of the license to be reduced. It may also bedetermined that a free software alternative exists under license termsthat the company has specified are acceptable or which the company hasspecified are acceptable in that context; for example, the company mayspecify that the MIT license is acceptable but that the GNU GeneralPublic License is not, restricting the scope of alternatives.) Anothermodule may be a vendor management review module, which may providesimilar functionality when evaluating the vendors that the company isusing and the specific agreements that the company has with thosevendors.

A further module may include a cloud readiness review module, which mayassess technology, people, and processes operated by the company inorder to determine what data should be stored locally and what datacould be uploaded to a cloud database or otherwise integrated with thecloud. Another module may provide operating monitoring review, which mayevaluate the overall operations of the company's IT systems. Anothermodule may be a legal compliance module, intended to evaluate thecompany's compliance with particular laws or regulations, or an ethicalcompliance module, intended to evaluate the company's compliance withcertain ethical codes or social standards. One example might be a KingIV reporting review module, which may evaluate aspects of the company'sgoverning structure in order to ensure compliance with the South African“King Code,” a set of principles and practices intended to helpguarantee accountability, fairness, and transparency in organizationalconduct. Another module may provide certification readiness review,intended to evaluate whether the company is in a good position to applyfor or receive a particular certification or begin a certificationaudit.

An exemplary embodiment of skills that may be included or whichotherwise may be available are as follows: A first exemplary skill maybe a reading skill to be able to recognize specific information in ascanned document. This information may relate to a policy at thispresent time, but may be trained to later read contracts, agreements,and other documents.

In an exemplary embodiment, an audit performed by the platform mayinclude the automated collection, storage, analysis and reporting of ITenvironment and cyber security data, which may include steps ofcomparing this data against various IT best practice standards and/orcompany policies. The platform may be configured to perform auditsagainst specific standards, analyze process maturity and physicaldocuments and written policies. The standards may be legal orregulatory, or may be certificatory or voluntary, such as ISO270001,which provides specific requirements for an information securitymanagement system (ISMS). The standards may include, for example,standards regarding password management, using password managementtechnology, procedures for periodic review of access, and so forth.

In an exemplary embodiment, data may be collected from various sources,including IT monitoring tools and applications. Once this data iscollected, the platform may then interpret the logs and findings fromthe collected data, and may translate the results for auditors and thestakeholders, in such a manner as to enable the auditors andstakeholders understand context and risk within the standards that theyare measured against. According to an exemplary embodiment, in order tofacilitate collection of data, the platform may be configured to allowfor the connection of existing tools and applications, which may allowdata to be uploaded directly from those existing tools and applications.The platform may then be configured to generate recommendations based onthe data extracted from the IT monitoring tools and applications usingcognitive automation, rule configuration analysis, machine learning andartificial intelligence. The platform may generate recommendations basedon the data gathered and may amalgamate multiple sources in a mannerthat focuses the sources into a single-view of the IT audit landscape.For example, in an exemplary embodiment, the platform may be configuredto connect to security tools such as SPLUNK, OPENVAS, NESSUS, MBSA,NMAP, etc., collate the results and apply them to audit standards, aswell as translate the risks and make recommendations to different userslike the user, administrator, company or group on how to comply with thestandards. For example, the platform may consume the core informationfrom SPLUNK and may then combine it with governance and manualprocesses. The platform may then translate this evidence into newevidence that is compatible with an auditing process (“audit-friendly”)and may then apply it to audit standards.

An exemplary embodiment of the present platform may thereby generallyprovide an integrated and automated solution of an IT audit function,that does not require human effort or involvement. (Again, however, inexemplary embodiments of the platform, the platform may also operatealongside a human auditor as an aid. It may also be contemplated to havethe human auditor be able to intervene or elect to become involvedbased, for example, on preliminary status reports, such as if the humanauditor notices something unusual or believes that the companyrepresents a special case distinguishable from other similar companies.It may further be contemplated to have the platform be expandable withadditional functionality, for auditing any other records or controlssuch as financial controls or customizable compliance auditingprocedures like compliance with the terms of a specific contract or evenpotentially the claims of a specific patent.

According to an exemplary embodiment, a platform such as is contemplatedherein may be implemented on a network that may be virtual or physical.The platform may, for example, be configured to make use of cloudcomputing, such that the platform may be configured to operate on acloud computing platform. The cloud computing platform may includeGOOGLE CLOUD PLATFORM or another such platform, such as may be desired.In an exemplary embodiment, the platform may operate in a virtual spacewith cloud services being used by various users or companies which formpart of a group of users or companies. This may improve the overallsecurity of the platform by ensuring that there are no networks tobreach or custom servers to penetrate.

According to an exemplary embodiment, a cloud platform or combination ofplatforms may be selected or implemented in order to provide certainusage functionality, including audit logging, URL reputation management(which may, for example, provide an indication of whether a URL isconsidered to be trusted or untrusted), binary reputation (which may,for example, provide an indication of whether any downloadable files,such as non-text or “binary” files, are legitimate) login reputationmanagement, in-app reputation management, and any other such usagefunctionality. Likewise, a platform or combination of platforms may beselected or implemented in order to provide certain operationsfunctionality, such as providing automatic updates and patching to someor all software services through the cloud program, securing all datawith a set of uniform secure best practices and configurations,performing threat analysis and applicable intelligence collectionapplicable to a broad set of related data sets (such as other datastored on a cloud system), performing data forensics, performing anomalydetection, and performing organized incident response. (For example, inan exemplary embodiment, the step of performing threat analysis mayinclude inspecting items with a set of virus and malware scanners orother software in order to ensure that the data uploaded to the platformis safe. One example of such a system, GOOGLE's VIRUSTOTAL program, mayinspect items with over 70 antivirus scanners and URL/domainblacklisting services, in addition to other tools that can be used toinspect certain specific signals in the studied content.) It may also becontemplated to have the platform simply provide recommendations forremediation of each of these features by the entity being audited orreviewed, which may ensure that the platform can remain independent fromeach of the software services in question.

Likewise, a platform or combination of platforms may be selected orimplemented in order to provide certain deployment functionality, suchas providing an unphishable hardware second factor such as a physicallocation of the hardware, implementing the TLS cryptographic protocol(or another cryptographic protocol) for all communications, performingDDOS protection through appropriate allocation of resources among theentirety of a cloud system (e.g. load balancing software and the like),performing TLS certificate pinning to the cloud system specifically, andany other deployment functionality that may be desired. (Other suchaccess control functionality or other deployment functionality, such asfirewall and access control software, may also be contemplated to beimplemented, which may, if desired, operate under a “default deny”system where traffic is restricted unless it is specificallyauthorized.) Likewise, a platform may be configured to perform certainapplication functionality, such as application vulnerability scanning,binary verification, source code provenance, third-party code reputationmanagement, and automatic enforcement of peer review for all changes toimportant aspects of the cloud software. A platform may be configured tohave certain storage functionality, such as storage encryption, storageIdentity and Access Management (IAM), and logging. A platform may beconfigured to have certain operating system (OS) and inter-processcommunication (IPC) functionality, such as the use of a custom-hardenedkernel for cloud operations, authentication for each host and each job,and the use of curated images. The platform may be configured to havecertain boot functionality, such as the use of a trusted boot processand the use of cryptographic credentials. Finally, in some exemplaryembodiments, the platform may make use of purpose-built hardware,including purpose-built chips, purpose-built servers, purpose-builtstorage, purpose-built network infrastructure, and purpose-built datacenters, which may improve overall security and optimize the functionsof the overall infrastructure.

According to an exemplary embodiment, the platform frontend may includean application engine, which may be connectable to a variety of deviceson which data may be displayed or commands may be executed, such as amobile phone, laptop, tablet, personal computer or similar computingdevice. The connection is wireless or wired (via a cable), such as maybe desired.

According to an exemplary embodiment, the platform backend may includean application engine. The frontend application engine may be connectedto the backend application engine. The backend may also include datastorage, such as cloud data storage. An exemplary server used as part ofthe platform may be a cloud-based server.

The platform may be contemplated as being deployable simultaneously inany number of IT environments that range in geographical location, ITmaturity, complexity of systems, posture and size of infrastructure andusers. In various exemplary embodiments, the platform may be adapted forthe different IT environments through methods such as those discussedabove. (One example is that a legal compliance module may be regional orgeographical, such that the company undergoing the audit is onlyexamined based on the laws to which it is actually subject.) Theplatform may not be limited by the scale of the environment in which itis deployed into, and can cover any range of applications andsub-applications. The platform may connect to and interact with data ina remote and automated manner.

According to an exemplary embodiment, data may be gathered by acollecting system. The collecting system may include connectors(essentially, links between one type of data structure or format andanother type) and may also include a web user interface (UI) for manualcollection of data. In various exemplary embodiments, it may becontemplated to have the connectors be specifically tailored to acertain type of data structure, format, or program, and may further becontemplated to have generic connectors which may be configured tocollect data from any data source that could be mapped by the front enduser via the user interface to classify certain data fields. This mayallow for new connectors to be developed relatively easily, allowingfor, for example, proprietary data formats or unusual data formats to becollected given enough customization. The collecting system may beconnected to the testing and analyzing system of the backend.

In particular, in an exemplary embodiment, the collecting system may beconfigured such that information may be collected in such a manner as toprovide continuous auditing, such that information is collected andevidence is audited simultaneously, without pausing informationcollection for evidence auditing or vice-versa. (In some cases, this maybe a function of the collection system or of individual connectorsdefined therein. According to an exemplary embodiment, the collectingsystem may be configured to use “point-in-time” or batch collectioninstead of, or in addition to, continuous data collection; for example,there may be circumstances in which a particular system is so rarelyused as to eliminate most of the need to write and implement a customconnector, or there may be circumstances in which a particular system isa legacy system that is somewhat poorly understood and a legacyconnector must be used, each of which may require “point-in-time” datacollection.)

According to an exemplary embodiment, the connectors may utilize abuffer system such as the publish/subscribe pattern (or PUB SUB) to feeddata into the cloud. The connectors may be run based on a scheduleconfigured by the user via the frontend. The connectors may be centrallydeployed and may remotely access the applications/computers as necessaryto pull relevant data utilizing relevant remote technologies such asWMI, API, SQL or Remote Registry.

According to an exemplary embodiment, the connectors may form aconnector framework which is connected to the backend. The connectorframework may function as the primary mechanism for receiving data. Allconnectors may be based on a standard open source framework. Theplatform may support the addition of new connectors, which may bewritten or uploaded by the user, administrator or companies. Theplatform may support the addition of new standards, with the standardsbeing provided in writing. All connectors set up may be viewed andmanaged via a user interface. The user interface may be the same web UIdescribed above.

In an exemplary embodiment, the platform may be configured to operate inIT environments enabled virtually, through deployment of the connectorsinto the IT environment, with the data processing being performed in thecloud. In such an embodiment, the platform may be connected to newconnectors regularly, wherein the new connectors are deployed regularly.

Exemplary embodiments of connectors that may be incorporated into thepresent platform may be described herein. A first type of connector maybe a scanning tool that collects environmental data such as internetprotocol (IP) addresses, device names and installed software. A secondtype of connector may be a connector that uses existing applicationprogramming interfaces (APIs) or direct logins to collect data directlyfrom an application or an application database.

According to an exemplary embodiment of a first type of connector, afirst type of connector may be provided with domain administratorcredentials, such as a domain administrator username and password, whichmay be used to scan the local environmental data. For example, accordingto an exemplary embodiment, the platform may be assigned its own uniquedomain administrator credentials, such that the domain administratorcredentials available to the platform can be appropriately limited andcan be maintained in the local environment without being communicated tothe web or to any other outside environment, such as GOOGLE CLOUDPLATFORM.

According to an exemplary embodiment of a second type of connector, asecond type of connector may be provided with the API information or thedirect login credential information by an operator of the platform, andmay be maintained in a local environment in an encrypted form. (Thismay, for example, include credentials to access one or more cloudsystems as well as one or more local systems, allowing the platform toperform one or more scans on cloud systems; such credentials maylikewise be stored in this sequestered space or “secure vault.”)According to an exemplary embodiment, the credentials may be stored insuch a fashion that they are not connected or communicated to the web orto any other outside environment, such as GOOGLE CLOUD PLATFORM, and maylikewise be a set of credentials uniquely corresponding to the platformrather than being shared between the platform and one or more otherparties.

In an exemplary embodiment, either of the types of connectors (such asthe first “scanner-type” connector and the second “API/login-type”connector) may be integrated with other software or other softwaremodules. For example, according to an exemplary embodiment, a connectormay be paired with a security module that may, upon scanning the localenvironment to retrieve data or upon retrieving data from a particularAPI or other program, identify one or more security weaknesses in thelocal environment or in the use of the particular program, and may thenalert the customer of the security weaknesses identified. Integrationwith other modules may also be contemplated, such as may be desired.

For example, according to an exemplary embodiment whereby a connector ispaired with a security module, a connector may first be kicked off inorder to run against an on-premise or cloud environment. For example, inone exemplary embodiment, a connector may be used in order to collectdata from the Active Directory. The data and records that may then becollected by the connector may then be transmitted to the platformbackend, where processing may in some exemplary embodiments be suspendedin a queued state until the connector has successfully completed thescan. (In other exemplary embodiments, steps like preprocessing may betaken when the data and records are being collected by the connector, ifdesired; in other exemplary embodiments, the process may run in parallelwith other processes that place a greater demand on system resources.)Once a completed data set is received by the security module, thesecurity module may operate to process the completed data set againstpredefined rules, logic, and machine learning algorithms. For example,according to an exemplary embodiment, one predefined rule that may bespecified for the platform may be to identify all Active Directoryaccounts that have not changed their passwords, or which have notchanged their passwords in a specified period of time. The result maythen be displayed as an outcome or as part of a dashboard that may beviewable by the client through their front-end web user interface.Various results and visualizations of this process may be contemplated,such as, for example, a listing of all of the users that have notchanged their passwords. The security module may then, if desired, takefurther steps based on this finding; for example, in an exemplaryembodiment, it may be contemplated that the security module may sendalerts resulting in email, text, or other push notifications, such asmay be desired For example, it may be contemplated to have the securitymodule send an email to an administrator after the conclusion of theoperation, advising the administrator of the new outcome in the platformrelated to Active Directory. Variations on this process may also beconsidered; for example, it may be contemplated to have a customizablealert be sent to the administrator such that the administrator canspecify what information should be conveyed, such as providing a levelof compliance with password procedures as a percentage within themessage subject header.

In an exemplary embodiment, the connectors may include locally-situated,or “on-premise,” connectors located in a user's IT environment, whichmay allow for the automatic collection of data. The connectors mayinclude cloud-based connectors that interface through the web UI. Incertain exemplary embodiments, data may be collected by the connectorsfrom source data in a structured form, or alternatively may be collectedin an unstructured form.

According to an exemplary embodiment, the overall platform may beconfigured to test data provided in either structured form orunstructured form, such as may be desired, which may offer numerousadvantages over other systems like CELONIS. For example, according to anexemplary embodiment, when unstructured data is determined to have beencollected by a connector which may take the form of an uploaded document(such as a PDF) or an image (such as a JPEG) it may then be subject to amachine learning process to convert the contents of the document orimage into text, which may in some exemplary embodiments be acomprehensive cognitive automation process to ascertain and interpretthe text as the required evidence and tabulate this into structureddata, in order to convert the data into a format onto which the overallplatform can then apply audit rules. For example, in one exemplaryembodiment, it may be contemplated that, once the user has uploaded datain some interpretable form, such as in the form of a JPEG or PNG, theplatform may apply optical character recognition in order to determinethat there is a checkbox square in close connection to the term“Enabled,” which may be used in order to determine that the checkboxcorresponds to a state of having a particular element be disabled orenabled. The platform may then visually interpret the checkbox in orderto determine that it has been checked, indicating that the element is inan enabled state rather than a disabled one. This may, for example,cause the platform to return a result of 1 for the setting (rather than0) if the setting is a known setting, indicating that the setting isconfigured correctly, or may cause the platform to create an entry forthe setting if the setting is not a known setting, allowing it to beinterpreted later, for example by a generic connector or by a modifiedexisting connector that is configured to interpret uploaded data.

It may further be contemplated that, as an extension of the capabilitiesof the platform to interpret unstructured data, the platform may furtherbe configured to interpret data that is structured according to anunfamiliar form, giving the platform the ability to interpret data evenin the case where the source of the data is not a pre-specified systemwith a well-defined connector. In such an exemplary embodiment, once theplatform performs a machine learning process to translate the unfamiliardata structure into a familiar data structure, the unfamiliar datastructure and the familiar data structure may be compared and a newconnector may be automatically developed by the platform, based on thedifferences between the unfamiliar and the familiar data structure.

In an exemplary embodiment, the connectors may be used to collect useraccount information, security configurations data, application-specificinformation, or system-specific information. User account informationmay include, for example, staff numbers, login data, username,permissions, name and surname, and status. In addition to the above,user account information may also include any other connectedinformation for the employee, such as human resource information liketermination dates, email, engagement dates and title. Such informationmay be used by the platform in order to, for example, identify unused orseldom-used user accounts, or duplicate user accounts, such as may bedesired. In an exemplary embodiment, the platform may further collectinformation about the user account creation process, such as the speedof creation and approval of new user accounts, the history ofmodification of user accounts, the speed with which the organizationeliminates the user accounts of (or the privileges of, or otherwisecontrols access for) users that have left the organization. This mayallow risk to be determined for the process as a whole, as well as on aper-user basis, if desired.

Security configurations data may, for example, be collected from eachapplication and profile group or role configuration, and may includedata on basic password parameters, use of root keys, blocked IPaddresses, and so forth. In many embodiments, security configurationdata from different programs or systems may share common settings, butmay also include some unique settings that are only enforced by aspecific grouping of users or role.

Application- or process-specific information may include data which isbased on the operational functions of that control. Examples ofapplication- or process-specific information include such information asbackup schedules, backup status, antivirus scope, cloud deployments, anddevices on the network, amongst others.

In an exemplary embodiment, the connectors may be enabled virtually withlimited performance impact on any network or computer processing unit(CPU) of the IT environment. In some exemplary embodiments, the platformmay be integrated with multiple connectors configured to operatesimultaneously, such that connectors may be simultaneously deployed. Avariety of deployment mechanisms are available, which may include, forexample, existing supported deployment mechanisms which may be providedby the system provider, or self-developed deployment mechanisms whichmay be implemented by the user themselves.

In an exemplary embodiment, the connectors may be configured to requirea unique login by a registered organization administrator upon set up.This may ensure that secure data is not transferred withoutauthorization. (In other exemplary embodiments, other methods forsecuring data, such as anonymization of the data or encryption of thedata, may be contemplated, and may be used instead or additionally.) Theconnector framework forms an interface which uses certificates toencrypt the connector interface traffic. The connectors may make use ofcredentials with appropriate levels of permissions, which may beprovided by the user and which may remain within the user's environmentin an encrypted format. The data may be transmitted to the backend fromthe connectors through a hypertext transfer protocol secure (HTTPS)representational state transfer (REST) API interface. The REST APIinterface may be used for receiving and pushing data within theplatform. (In an exemplary embodiment, these APIs may be made availablein a form that enables the customer to integrate them into otherplatforms in order to enhance compatibility between the present platformand other software platforms, such as may be desired.)

In an exemplary embodiment, the web UI may also be connected to thebackend. The web UI may allow users to manually submit data, which mayin some exemplary embodiments be combined with the other data collectedautomatically by the platform or which has been previously collectedmanually. In an exemplary embodiment, data may be downloaded fromvarious registers and reports available in the web UI. For example,according to an exemplary embodiment, a set of documents, a screencapture (for example, from an airgapped system), and/or a list may bemanually collected and submitted by the user via the web UI. Some of thedata submitted in this fashion may represent, for example, raw useraccount information data, security configurations data and applicationor process specific information, all of which may be submitted throughsuch a process, if desired. This may ensure that the user can manuallysubmit any data that they wish to manually submit, or, if the automationof a particular type of data collection is not possible or is notpractical, submission of the results of that type of data collection maybe performed manually. The submitted data may also include any otherinformation that may be of relevance to the auditing platform or whichmay have to be specifically prepared for the benefit of the auditingplatform. One example of this may be organization hierarchy data, whichmay be used by the platform to determine a level of authority that eachuser should have, for purposes of performing a review of access. (Forexample, it may be contemplated that an IT manager who is promoted to amore senior management role in which they do not perform any direct ITduties may not need administrator access to some of the systems which hehad required administrator access to in his previous role.) Anotherexample of information which may, in some exemplary embodiments, beoffline or may have to be specifically interpreted for the platform maybe data relating to error messages for security controls, which may berelated to events that were not handled properly by the company ITsystems and which as a result may need additional interpretation by auser (in order to determine, for example, what failed and why). A thirdexample of such information may be, for example, new user forms data,which may relate to users that have not yet been incorporated into acompany IT system. Any other such information may also be contemplated.Multiple types of data may be submitted, such as connector information,manual file uploads and unstructured data sources.

In an exemplary embodiment, the tested and analyzed data may bedisplayed on a web-style UI, which may allow users to view and interpretthe data. In an exemplary embodiment, the submission of data through theweb UI may be made via a hypertext transfer protocol secure (HTTPS) webportal. The HTTPS web portal may connect to the backend through a HTTPSREST API interface.

According to an exemplary embodiment, access to the data via theinterface may be secured by one or more security measures, such asmulti-factor authentication security. For example, multi-factorauthentication may be used to authenticate the user when connecting tothe backend through the HTTPS REST API interface, such that the usermust log in and be authenticated by this process in order to submit andview data. Multi-factor authentication may be provided in two parts,first to check that the user is who they say the user is (“AuthN”), andsecondly to ensure that the user can access only what they are allowedto access (“AuthZ”). (In some exemplary embodiments, it may becontemplated to give a user a variable level of access, such astemporary access to certain data, if desired; in some exemplaryembodiments, this control may be performed via the multi-factorauthentication step.) The web UI may then form a web interface whichuses certificates and session keys to encrypt the web interface traffic.For example, in an exemplary embodiment, the web UI may be encryptedusing SHA256RSA certificates and may require users to uniquelyauthenticate themselves in order to gain access to the system.

According to an exemplary embodiment, the collection system may beconfigured to specifically target and collect data relating to the ITenvironment based on the connectors the administrator selects, downloadsand implements, which may then be combined with the data being submittedmanually by the user. This data may then be stored in the backend, andmay be tested and analyzed by a testing and analyzing system which maybe integrated with the backend.

In order to secure the interface from the connector to the backend,according to an exemplary embodiment, the interface from a connector tothe backend may be secured using HTTPS to a REST API using a three-way,limited period session key to encrypt data. The connectors may requirethe user to first authenticate to the backend and provide a uniquelyauto-generated application key. Thereafter tokens may be used for thebackend to communicate to the data and services in the backend and theweb UI. The tokens are periodically renewed.

In an exemplary embodiment, the REST API key may be generated by theplatform and may only be updated through the web UI. Login credentialsand multi-factor authentication may be required by the administrator toaccess the API key.

In an exemplary embodiment, the interface between the user, who may, forexample, be manually submitting data and/or viewing analyzed data, andthe backend may be secured via the HTTPS web portal. Multi-factorauthentication may be required to access the web portal using anauthentication application of the user's choice.

The platform may manage user activity through a profile system. As such,when the user first accesses the platform, or prior to the userattempting to access the platform, a user profile may be created by theuser. Upon user profile creation, an email address may be required forthe user. Upon login, an email may be sent to the user with a uniqueauthentication code, which may be required to prompt the setup of themulti-factor authentication process. In an exemplary embodiment, themulti-factor authentication process may be governed by an externalapplication, and the user may be presented with a quick response (QR)code and backup codes to link to an authentication application of theuser's choice. Alternatively, the user may be able to set upmulti-factor authentication directly in the platform, which may be anyform of multi-factor authentication such as biometric authentication,dongle- or security key-based authentication, and so forth. In anexemplary embodiment, each user session may require the multi-factorauthentication procedure to be executed in order to log in. (In someexemplary embodiments, multiple simultaneous forms of multi-factorauthentication may be associated with a user, such as biometric data anda unique security key, or an email address and a phone number. In someinstances, the user may be able to choose a desired second form ofauthentication from a set of several forms, such as may be desired; forexample, the user may select whether to validate via email or viaphone.)

Once authenticated, access to data may then be controlled through userprofiles and mapping those user profiles to company hierarchies.According to an exemplary embodiment, user profiled may be linked to acompany hierarchy after creation, based on an appropriate linkingmechanism. For example, in one exemplary embodiment, a linking mechanismmay include a set of unique codes which may be shared by the userprofile and the company hierarchy page, which may link the user to thecompany hierarchy when the user and the administrator managing thecompany hierarchy each accept each other's codes.

According to an exemplary embodiment, all data may be uniquely tagged,and the platform may control users' access to data so that data withparticular tags is only accessible to particular users, such that usersmay only access data which they have consent or authorization to access.In an exemplary embodiment, access to data may be allowed only throughbackend APIs, which may enhance the security surrounding the data. In anexemplary embodiment, upon being uploaded, all data that enters theplatform may be tagged with a unique code. All communication within theplatform may make use of the APIs, which may require a uniqueidentification and authentication to operate, which ensures access touser or company specific data is highly restricted and secured.

According to an exemplary embodiment, linking may be performed betweenother entities, such as between a first company and a second company.For example, companies that form part of a multiple-entity group (suchas parent and subsidiary) may be linked together on the platform. Forexample, linking may be done by means of a parent company providing aunique code to a child company, who then requests access from the parentcompany using this code; the child company may only be linked once theparent company accepts the request for access. The parent or childcompany, or other linked companies, may deny or de-link the othercompany from the platform at any time, ensuring that the platform doesnot have to be reconfigured if the subsidiary is spun off as anindependent entity. The ability to link and de-link these or otherconnections may be restricted to the administrators. (For example, aninternal hierarchy may likewise be de-linked by an administrator.)

According to an exemplary embodiment, the data collected about thecompany (or other entity) may be provided to the entity in a detailedform. The data may be organized through a data normalization process,and may be sanitized or anonymized into a global data structure, suchthat the data is no longer identifiable as having been provided by aspecific entity, for various reporting requirements across industriesand geographies.

The data collected by the connectors and transmitted to the backend maybe processed and stored by the backend. The data submitted using the webUI may also be processed and stored by the backend. The data may betested and analyzed by the testing and analyzing system integrated withthe backend.

In an exemplary embodiment, access configuration may also be included inthe backend. Access configuration may include, for example,configuration of core functions of the platform, information output, anduser administration.

In an exemplary embodiment, the testing and analyzing system may beconfigured to apply audit techniques to the collected data usingcognitive automation. Cognitive automation is a process by which AItechniques may be applied to automate specific business processes, in amanner that seeks to emulate the overall way that humans think, andwhich incorporates other techniques such as natural language processing,pattern recognition, and contextual analyses in order to do so.

Cognitive automation may offer certain advantages in that it may learn,at least in some small way, by association. In particular, cognitiveautomation may allow a platform to take unstructured data, and then usethat to build relationships and create indices, tags, annotations, andother meta data. The platform may try to find similarities between itemspertaining to specific business processes, such as assets used in eachprocess. For example, upon facing a problem, the cognitive automationsystem may determine whether the problem resembles something it has seenbefore, and, if it does find an analogous case, may determine what wasdone in that similar instance. If not, the platform may determinewhether it is connected to something that it has seen before, and, ifso, may gauge the apparent strength of the connection. The platform maythen drill down deeper, identifying the components involved in theproblem.

This may, essentially, provide the platform with something likecognitive ability, which may be improved as the platform makes more andmore connections between situations and processes. As a result, the moredata the platform consumes, the more intelligent and predictive theplatform becomes. Audit techniques can then be used to verify the datacollected. Cognitive automation may include one or more of configuredrules, machine learning, natural language processing and artificialintelligence.

The testing and analyzing system may be configured to detectunauthorized software being used in the IT environment of the companies,to monitor vulnerability of the IT environment, to monitor backups (andperform any other resilience monitoring and testing, as appropriate,such as testing backups performed to identify failed backups), as wellas monitor patch management to identify software that requiresremediation and updates to the current installed version. The audittechniques may be simultaneously executed, continuous and carried out innear real-time, allowing for automated and near real-time IT auditservices. The testing and analyzing system may be configured to moderateconsistent audit quality which is aligned to best practice standards orcompany policy. The testing and analyzing system may include focusedsecurity modules which conduct vulnerability scanning as one componentof testing and analysis.

According to an exemplary embodiment, the present platform may beconfigured to add identifying information to collected data, such thatinformation may be identified as belonging to a particular system type.Likewise, the present platform may be configured to add a layer ofcontext to collected data, identifying the significance of the data orthe applicability of the data to specific other systems. In an exemplaryembodiment, collected data may be provided with this layer of contextprior to testing, allowing the test to be performed with this context inmind. According to an exemplary embodiment, collected data may beprovided with this layer of context at any time prior to the conclusionof testing, such that results may be clearly associated with aparticular system. This may allow the platform to run audit evaluationsonce on a particular system, or particular subset of system components,and then later rerun an identical evaluation on a different system. Theresults of these analyses may then be presented to the usersimultaneously. This may, for example, be used to audit portions of anIT system taken alone or with only select other components of the systembeing included, allowing certain specific faults to be identified andallowing recommendations to be tailored to the actual effect thatcertain components have on the network. (For example, in onehypothetical case, a network may be tested with a certain componentbeing represented as present, and then may be tested with the certaincomponent being represented as absent. If there is a marked differencein the magnitude or type of vulnerabilities present in the two networks,this may be used as the basis for recommendations to the user. Forexample, a certain network component may not present a significant riskto the network if attacked, but may function as a plant or foothold forfurther pivoting inside of the network, and as such the removal of thiscomponent from the IT system may result in a larger than expectedincrease in security.)

Once collected, the data audited by the platform may be reviewed, and,if desired, may be overridden. In certain exemplary embodiments, thedata audited by the platform may be selectively overridden, or may beoverridden if manually uploaded data dealing with similar aspects of theIT infrastructure is too different from the automatically collecteddata.

An exemplary embodiment of how the present platform may operate toprovide context to data in order to yield an enhanced result is asfollows. The platform may be configured to correlate a record pertainingto a human user in one application to an unlinked record for the samehuman user in a different application, thereby creating a singlepersistent record for that user across each of the applications that thehuman user is using, or at least the applications that the human user isusing that are interrelated. In various exemplary embodiments of thepresent platform, it may be contemplated to have the platform conductfurther analysis in order to link such records, and the platform may,for example, look at simultaneously active sessions on the same machinein order to link records. (For example, in one such case, a user mayhave a first record maintained in a first program based on their companyemail address, which may for example be “john.smithl,” and may have asecond record maintained in a second program based on a differentcredential, such as “j smith,” which the platform may not be able toimmediately associate with one another based on analysis of records.However, if the user consistently simultaneously updates each record,these two records may be associated with one another, if desired.) Inthis manner, the platform may thus create a single unique record thatprovides a view of all of the applications that the human user hasaccess to, even if there is no link between the applications.

It may further be contemplated that the platform may analyze similardata, or contextually linked data, from multiple perspectives, or mayapply different sets of rules or machine learning to different sets ofdata within a grouping of data that has been collected and aggregated.This may allow different control testing contextualization of theinformation and may show different results that need to be remediated.It may also be possible to apply the same rule multiple times ifdifferent results can potentially be obtained. For example, in one casewhere a control testing result that may be shown on a dashboard of auser may be yielded from statistical sampling of a certain type of data,it may be contemplated to perform statistical sampling of the datamultiple times in order to determine a sampling variation.

One further example of how data may be contextualized according to anexemplary embodiment of the present platform may come from a passwordconfiguration process. In an exemplary embodiment, elements of thepassword configuration process, such as a password configuration dialogas it may be implemented on a specific application, may be uploaded to aplatform in the form of an image, such as a JPEG or PNG image. (It mayalso be contemplated to look at other elements, such as the passwordsthemselves, or password hashes corresponding to commonly used passwordssuch as “password” or “password123.”) This may be analyzed by theplatform via machine learning in order to translate the unstructureddata to structured data, at which point any algorithms that areapplicable to the structured data may be run. The context added to thedata set in question may be provided by comparing the now structureddata to another set of unstructured data, such as a password policy thathas been provided in a PDF document instituted by the organization. Theplatform may be configured to alert users when the configuration differsfrom the formally approved policy, when the password dialog in some waydiffers from the policy (at which point a design team of the software,for example, may be notified) or when the password in some way differsfrom the policy (if the password is not long enough, if the passwordhash corresponds to a common password hash, if the password is brieflystored in plaintext and directly analyzed for compliance with aparticular standard such as a number of numbers or other specialcharacters that may be required, and so forth). In an exemplaryembodiment, different users may be alerted when a breach in policy isnoted, based on the nature of the breach in policy and those consideredto be responsible for fixing it; for example, when the user has typed anineligible password, the user may be notified, but when a passworddialog itself is vague and ambiguous, an interface management team maybe notified.

In an exemplary embodiment, the data audited by the platform may providepercentage confidence levels. The testing and analyzing system may beconfigured to query and analyze large amounts of data. The testing andanalyzing system may be configured to read policies and print screens,compute data, automate routine tasks and test controls.

In an exemplary embodiment, the testing and analyzing system of thebackend may include a clustering system, a streaming system, and a datawarehouse. The clustering system may be, for example, a cluster ofservers set up using APACHE SOLR CLUSTER (or another similar system) toperform clustering or cluster analysis. SOLR, specifically, may allow auser to set up a cluster of SOLR servers that combines fault toleranceand high availability, in a manner that allows the resulting SOLRCLOUDto provide distributed indexing and search capabilities.

The connectors may then be connected to the streaming system, which may,for example, be a system such as CLOUD PUB/SUB, or another similarsystem. GOOGLE CLOUD PUB/SUB is a fully-managed real-time messagingservice that allows messages to be sent and received between independentapplications, thereby providing a system which provides a simple,scalable foundation for stream analytics and event-driven computingsystems, or other systems that require messaging between differentapplications. This may allow for stream analytics and event-drivencomputing which allows for the delivery of event data. The streamingsystem is connected to the data warehouse or warehouses, such asBIGQUERY and SOLR, which may analyze and store the data.

The testing and analyzing system may further include a machine learningservice, such as GOOGLE CLOUD MACHINE LEARNING. The machine learningservice may also include a classification system which classifies imagesinto categories, detects objects and faces within images, and alsolocates and reads printed words within images. The classification systemmay include a GOOGLE CLOUD VISION application programming interface(API). The machine learning service may further include an audio to textconverter system, such as GOOGLE CLOUD SPEECH-TO-TEXT API. The machinelearning service may further include a translator for translating text,which may be, for example, GOOGLE CLOUD TRANSLATION API. The machinelearning service may further include a reader program which extractsinformation from text documents, which may be, for example, GOOGLE CLOUDNATURAL LANGUAGE API.

According to an exemplary embodiment, the platform may further include areporting program. The reporting program may provide real-time andinteractive dashboard reporting to report the analyzed information andthe data collected, tested and analyzed. The reporting program may beconfigured to aggregate and consolidate audit results and IT data.

According to an exemplary embodiment, the aggregation and consolidationof the audit results and IT data may involve a data enrichment process,which may then be made available to the user via the reporting program.Based on the enriched data, various visualizations may be generated forthe user in order to show the data as visual results. For example,according to an exemplary embodiment, data in an audit report may beenriched by adding a comparison of the organization's results relativeto other organizations of a similar size or complexity, or in a similarindustry, which may be performed individually or in aggregate (i.e. anaverage result for companies of similar size, an average result forcompanies of similar complexity, and an average result for companies inthe same industry, or alternatively a grouping of two or more of theabove such as data for the nearest available peer or set of peers). Itmay also be contemplated to enrich the results by taking into accountprevious data records from the company, such as a previous year's datarecords, an average of several previous years, or a forecasted trend,which may for example be based on a set of previous years or a set ofdata collected over other time periods. For example, it may becontemplated that audits may be performed multiple times within a year,such as monthly, and the results of an audit may be compared to a dataset determined based on a trend forecasted based on the monthly resultsin order to indicate improvement or worsening of the IT controlenvironment in response to changes made by the company, new developmentsin external threats, and so forth.

Reporting functionalities of the reporting program may includedrill-down capabilities, which may allow the user to click and view orinterrogate the source data that resulted in a specific outcome. Forexample, according to an exemplary embodiment, a visualization of datapresented to the user may be provided in such a manner that specificelements of the visualization are associated with specific dataelements, allowing the source data to be directly retrieved uponselection of a particular element of the visualization.

According to an exemplary embodiment, the reporting functionalities ofthe present platform may be used to equip different audiences withvisibility into one or more of governance, risk, maturity and securityof the IT environment. The views may be customized for a particularaudience, by tailoring the presentation of the views to present more orless detail regarding governance, risk, maturity, or security. Reportsmay be generated using the reporting system. The reports may includefree-text options. A single view of the user across the IT environmentmay be provided with the associated risks and maturities. The reportingsystem may be configured to allow for reports to be exported anddownloaded by the user, or otherwise made available or published, ifdesired.

The reporting system may be configured to accommodate multiple reportinglines, both functionally and operationally. The platform may, as ageneral matter, be targeted primarily at two types of audiences. A firstintended audience of the platform may include those users charged withgovernance of an IT environment, as the platform equips the users withvisibility into the risk, governance and security of the IT environment.The second intended audience of the platform may be IT management, asthe platform enables IT management to mitigate and manage the IT risksin a continuous, online and real-time manner.

In an exemplary embodiment, visualization of the results of the auditservices provided by the platform may be customizable to the targetaudience through real-time and interactive dashboards with bothaggregated overviews and drill-down capabilities, which may include, forexample, an instant messaging platform. These mechanisms, respectively,may be configured to alert audiences of new threats and/or anomaliesdetected and facilitate questions and answers about the IT environments.

The platform may further be configured to retrieve and store informationregarding the latest technologies available and their estimated pricepoints, including the costs associated with purchasing whatever ITinfrastructure systems are necessary to purchase, or an appropriatelicense to same (which may, for example, be calculated by the platformbased on anticipated need), and the costs associated withimplementation. The platform may then be configured to generate aproposal for the user specifying the latest technologies available, andcomparing them with existing technologies, which may also provideindications of cost savings and/or price differentials. The platform maygenerate a requirements document for a future state of optimization.These features may form part of the reporting system.

According to an exemplary embodiment, the platform may be furtherconfigured to provide remediation alerts and notifications in order toremediate the data collected, tested and analyzed. The alerts andnotifications may be based on continuous monitoring conducted by theplatform. The platform may be configured to detect global anomalies,establish trends in those anomalies, and then respond to the anomalies.The platform may have an extensive database of real-time data thatallows for industry, company and/or user profiling for both trending andanomaly detection purposes. The platform may also include filtered alertmechanisms.

The platform may be configured to provide remediation recommendationsthrough the reporting system. For example, in an exemplary embodiment,the platform may identify a particular user that presents a high risk inthe current user configuration, and may identify this user as a highrisk. (For example, as discussed to some extent above, it may identifythat a user in a senior management role has certain IT or networksecurity credentials which they no longer need because of their newrole. The platform may then generate a recommendation for the user thatthis senior management figure should be removed from certain systems orgranted a lower level of access.) In an exemplary embodiment, all ofthese recommendations may be consolidated on a single view, such thatall of the recommendations may be reviewed and enacted, or not enacted(if desired), at once. This may provide an improvement over existingtools that require IT management personnel to review individual users,or other individual issues, on an application-by-application view,sometimes even requiring that different tools be used in order to reviewsuccessive issues.

In an exemplary embodiment, the remediation recommendations may becustomized to suite the user's needs based on factors such as measurablemetrics, the best product fit for the user, and benchmarking availableto compare solutions to one another. (For example, ideally, the user maybe shown a product comparison showing a current product, a best product,metrics for each product showing a degree of improvement that could beobtained by selecting the other product, and benchmarking showing thecapabilities of each product.) The platform may be configured to alertor notify the user of current risk exposures or inefficiencies withinthe IT environment. The platform may be configured to map the existingspecifications of the user's IT environment to a proposed specificationbased on product catalogues and/or rules and architecture intelligence.

The platform may function to make business-specific recommendations,which may include a recommendation to take no action or take incompleteaction to resolve an issue if it is considered to present a low level ofharm or is otherwise considered to be a low priority. For example, inone case, if the platform detects a security issue in the ITenvironment, it may then operate to make recommendations regarding theremediation of the security issue in the context of the size of theenvironment, the risk appetite of the business, the risk profile of thebusiness, the budget of the business, and so forth. This may operate toprovide a contextualized and non-generic method of providing an auditrecommendation, allowing the overall platform to make highly specificremedial recommendations that may involve recommendations of specifictools, or which may incorporate the “how” and “why” of solving theproblem. In an exemplary embodiment, such recommendations may be basedon training data regarding the history of the business or otherorganization, the history of other businesses in its industry, or anyother applicable information such as threat forecasting, such as may bedesired.

To give an example of how this may function, the platform may determinethat a particular security issue exists for a business, in a first step.The platform may then determine a size of the business environment, andevaluate the other risks presented by the business environment, andtheir estimated impact on the business environment as a whole. Theplatform may then determine a risk appetite of the business, which maybe based on, for example, customer specification of a risk appetitevalue, evaluation of past responses to attacks, or comparison to othersimilarly-situated businesses in its field or in related fields. Theplatform may then determine a risk profile of the business, in order toevaluate the predicted frequency and severity of future attacks, as wellas the nature that these attacks are likely to take, which may again bebased on past results or based on a comparison of the business to theremainder of its industry. The platform may then determine a budget ofthe business, and, using the specified budget of the business, priceinformation regarding a set of tools, and the estimated impact of eachtool, may perform an optimization step in order to determine which toolswould have the most overall impact on the business's security issue orsecurity issues.

In an exemplary embodiment, the platform may maintain a list of basicsecurity controls which can be implemented with little or no cost, whichmay have a significant overall impact on the typical cybersecurityexposure for a business. For example, if the organization has a largebudget and a limited number of security issues, the platform mayrecommend a number of powerful proprietary tools tailored to thatspecific problem, whereas if the organization has a small budget and alarger number of security issues, the platform may first try to selectfreeware tools that might have the biggest impact, and may then performan optimization step regarding the remaining issues, choosing tools thatare likely to cost-efficiently reduce the severity of the biggestissues. (It is noted that the use of even basic cybersecurity controlscan help reduce overall exposure by up to 85%, for almost any company.These baseline controls may include, for example, tracking of IThardware and software over time, the appropriateness of passwordcontrols on the network and on local machines, whether appropriate logsand monitoring are operating, whether antivirus has been properlydeployed, whether software patches have been properly installed, whetherthere are any software or configuration vulnerabilities in the ITenvironment, and whether the user and administrator accounts on thenetwork have been properly configured.)

According to an exemplary embodiment, once a recommended tool or servicehas been implemented, further actions may be taken in order to interactwith the tool or service in the context of an exemplary embodiment ofthe platform. For example, according to an exemplary embodiment,following the implementation of a recommended tool or service, abusiness operating a platform may be able to provide a rating based onthe ease of implementation of the tool or service, or may alternativelybe able to provide other feedback through an interface provided via theplatform. In an exemplary embodiment, this may be used in order toimprove future recommendations involving the type of issue that thebusiness has encountered and the applicable remediation plan, which may,for example, be applicable to every occurrence of such issue or may, forexample, be applicable to every future occurrence of the issue thatinvolves a business in the same industry, of the same size, having thesame internal complexity, or so forth. For example, in an exemplaryembodiment, a tool with the highest rating or the highest rating bysimilarly-situated businesses may be automatically recommended, or a setof top three tools may be automatically recommended, which may be basedon lifetime feedback and user ratings or may be based on limited-timefeedback and user ratings, such as feedback corresponding to the lastseveral versions of the tool or which has been taken over the past yearor another such time period.

According to an exemplary embodiment, the platform may store, for eachcompany which is part of a group, a profile, the profile being managedby an administrator of that company or another authorized user. Thebackend may also store an inventory of hardware and software used byeach company of the group.

In an exemplary embodiment, all system activities may be logged by thebackend. The logging may include, for example, a process of timestampingand referencing the associated user or connector. In an exemplaryembodiment, all internal communication within the platform may be loggedand retained in the backend. (In some cases, where internal logging isnot available for particular communication but other records of thecommunication exist, the platform may be configured to prepare a writtenrequest to a designated person, requesting the communication.) In anexemplary embodiment, the set of new users and last logins may betracked and may be provided to the administrator on an interface,allowing the administrator to track this information. In an exemplaryembodiment, all evaluations and amendments to control evaluations may beassociated with, and may show, last updates and reviews. Further loggingmay be made available through the APIs available for each system. Byusing the system APIs and a business intelligence tool of choice, theadministrator may create their own system management dashboards.

According to an exemplary embodiment, the platform may be configured tooperate with an extensive, global set of real-time data to performtrending and profiling of IT risk and/or maturity based on company orgroup type or industry. The platform may automatically apply riskmonitoring against the companies or groups using the platform when a newglobal trend and/or anomaly is identified by the platform, and theplatform may then be configured to automatically alert relevant users orstakeholders of the companies or groups accordingly.

According to an exemplary embodiment, the platform may, in this manner,be configured to provide insight of the user's current IT environmentrelating to the IT environments infrastructure. The platform may beconfigured to provide an auditing service and act as a managementmonitoring tool or system.

The platform includes IT Auditing over a variety of informationtechnology features, and encompassing a variety of programs. This mayinclude, for example, IT Auditing of technical security features such asantivirus, firewalls, asset management, network security configuration,password configuration, patch management, user profile management,website security, WordPress specific security. This may further includeIT auditing over Microsoft structured query language (SQL) securitymeasures such as SQL server hardening. (According to an exemplaryembodiment, SQL hardening may provide automated testing of a variety ofcritical areas of SQL database security, including version management,authentication mechanisms, backup management, antivirus deployment, andrequired services testing.) This may further include IT auditing overcloud security features such as generic security measures that are coreto the configuration of any cloud environment and AZURE-specificsecurity measures. This may further include IT auditing over businessresilience features such as back-up management, back-up operations,business continuity planning and disaster recovery planning. This mayfurther include IT auditing over user administration features such asnew and terminated user profile management, user access policies andprocedures, user data profile data accuracy and user profile management.

It may further be contemplated to have the platform act as a pre-salestool enabling a sales force to sell intelligently. In such an exemplaryembodiment, the platform may be used to pre-scan an IT environment andgenerate certain specified output information for a vendor, who may thenuse this valuable information to determine how to best pitch theirsolution and make the correct proposal to a customer. As such, theplatform may substantially digitalize the sales force by taking thepreviously human intensive process of performing an IT audit andcompletely automating the process from start to end, and then furtherapplying the audit and recommendation process in order to generaterecommendations of which specified products (such as products sold bythe vendor) could improve the operation of the IT system. In some cases,such as when the platform operator does not necessarily want to exposetheir entire system to analysis (for example, if the vendor is aprospective vendor with no pre-existing relationship with the company),the IT audit platform may also be configured to fill in blanks or makeconjectures based on the best available information.

In an exemplary embodiment, the platform may assist with cloud-readinessassessments and environment optimization by providing insight into thecurrent architecture, operational information, and seemingly unrelatedsystems. This insight could be used to re-architecture the environmenton a cloud platform, as a more efficient or effective local platform, ora hybrid of cloud systems and local, on-premise systems.

In some exemplary embodiments, variations on the platform describedabove may be contemplated. For example, according to another exemplaryembodiment, there may be provided a method of facilitating the automatedIT audit using the platform described above. This method may include thesteps of collecting data from one or more sources using a collectionsystem; testing and analyzing the data gathered by the collection systemusing the testing and analyzing system associated with the backend; andreporting the tested and analyzed data to the user through the reportingsystem and presenting the tested and analyzed data on the frontend suchthat the tested and analyzed data is accessible and manageable by theuser.

According to such a method, the platform may further use the datacollected, tested and analyzed to generate a textual report detailingthe analysis, and may further be configured to make remediationrecommendations based on the results.

According to another exemplary embodiment, there may be provided asystem for facilitating an automated IT audit, similar to the oneoriginally described, which as noted may make extensive use of anautomated IT auditing platform. This platform may include a frontendconfigured to allow one or more users to access and manage the platform;a network connecting the frontend to a backend; and a collection systemconfigured to gather data from one or more sources in an IT environmentto be used for the IT audit. The backend may include at least one serverconfigured to send, receive, store and process data, and a testing andanalyzing system, which may encompass algorithms, machine learning andartificial intelligence, the testing and analyzing system beingconfigured to test and analyze the data gathered by the collectionplatform against pre-configured best practice standards and/or policies;and a reporting system configured to transmit the tested and analyzeddata to the frontend, wherein this data is presented on the frontend forthe one or more users to access and manage.

Such platforms may allow an IT audit to be conducted without requiringhuman effort or involvement, and may provide audit-as-a-service whichavails IT security assurance on any IT environment, irrespective of thesize, complexity, posture or maturity of the IT environment, effectivelyallowing for demonetization and democratization of the IT auditingprocess, and thus serving to better promote data security. The platformsmay perform IT audits of the IT environment against specific standards,and may analyze process maturity, as well as analyze physical documentsand/or written policies, this being achieved by obtaining data fromvarious sources. Cognitive automation, rule configuration analysis,machine learning and artificial intelligence may be used by the platformto interpret the data and translate the results for auditors and theirstakeholders to understand context and risk within the standards thatthe results are measured against, and in this way the platform may beconfigured to opine on the data which is extracted as well as other datawhich is manually submitted, by generating not only summaries butrecommendations, such that the platform audits the IT environmentautomatically.

An exemplary embodiment of the recommendation process may be provided asfollows. In a first step, the platform may assess the data set againstpre-defined industry standards. In the absence of pre-defined standardsfor the particular industry in which the company that is being auditedfalls into, or in the event that the company is at the junction ofmultiple industries and standards are otherwise not clearly defined, orin the event that the company has defined its own best practices or morerigorous requirements that are more stringent than the industry standardor which are deliberately weaker than the industry standard based onsome other criteria (such as, for example, a need to maintain legacysystems which do not otherwise support best practices). these standardsmay be substituted instead. (In some cases, where a company has definedits own best practices and best practices are clearly defined for theindustry in which the company participates or are clearly defined forcomparable companies, multiple standards may be provided, such as thecompany's own defined standards and the prevailing standards.)

In a second step, the platform may measure the client data against therequirements defined by their own standards or the industry standards,and determine the absence or presence of an audit finding based onpredefined logic and rules, as well as machine learning algorithms. Theabsence of a finding may serve as a first metric in determining a riskand a maturity level of the organization. Other metrics, such as thequantitative nature of the risk that the audit finding identified, thequalitative nature of the risk that the audit finding identified, thesize of the organization's environment, the inherent risk of theindustry that the organization operates in or any other risk-relevantcriteria such as the inherent risk of the geographical area that theorganization operates in or does business in, and so forth may also beevaluated. According to an exemplary embodiment, some of thisinformation, such as the information regarding the organization's size,may be supplied directly to the platform or may be assumed based on datacollected during scans. For example, the industry that the organizationoperates in may be supplied during setup.

In a third step, once results are generated, industry benchmarking canbe applied, and the company may be presented with recommendations,including, for example, recommendations for high-end performance andrecommendations for cost-effective alternatives.

Various exemplary embodiments of the overall system, or the individualplatform or platforms, or methods for their use or software forimplementing same, may thus be described in brief as follows. In a firstexemplary embodiment, a method for performing an information technologyaudit using an automated platform may be described, which may includethe following steps. A first step may include creating, via a userinterface, a connector having a connector type, such as, for example,being a “canary connector,” and then defining, via the user interface, aconfiguration for the connector based on the connector type, which maypotentially include editing the connector or otherwise assigningnonstandard behavior to it. This configuration may be stored as a storedconfiguration in the automated platform

In following steps, one or more credentials may be assigned to theconnector, and the automated platform may operate to validate thecredentials. Following a validation of the credentials, the storedconfiguration may be retrieved from where it is stored in the automatedplatform, and a connector configuration may be synchronized between theconnector and the stored configuration in order to ensure that each hasthe most current configuration. The system may then collect, from a datasource and via the connector, a set of client data, and provide a dataoutput to an application programming interface (API) and servicesplatform based on the set of client data. During this process orfollowing it, at least one data interpretation step may be executed onthe API and services platform, with the at least one data interpretationstep including passing the data output to at least one skills API, andperforming, with the at least one skills API, digital interpretation ofunstructured data provided in the data output.

The method may further include the step of executing, on a processingplatform coupled to the API and service platform, at least one controlsevaluation step, with this step including determination of a controloutput based on a result of the at least one data interpretation step,and further storing a result on the processing platform. This mayinclude, for example, tests and analysis of data in order to determinecompliance with controls guidelines or requirements.

The method may further include generating and updating a plurality ofdashboards based on the result, a first dashboard being a summarydashboard including a plurality of graphical displays, each of thegraphical displays corresponding to one or more control results, and asecond dashboard being a monitoring dashboard including at least onecurrently actionable item identified by the processing platform.Further, the method may include generating and outputting at least onerecommendation to the user for remediation of the at least oneactionable item based on at least one comparison of a remediationsolution to an alternative solution by the processing platform.

The step of generating and outputting the at least one recommendationmay include steps of selecting the remediation solution from a list ofavailable remediation solutions based on constraints provided by theuser; conducting a first test of a network component with theremediation solution simulated as being in place; conducting a secondtest of a network component with the alternative solution simulated asbeing in place, and comparing a result of the first test and a result ofthe second test. One example set of constraints provided by the userwould be a remediation budget, and the method may include determining aprice of the remediation solution and determining an estimated efficacyof the remediation solution. For example, the system may optimize aplurality of recommended remediation solutions based on the price ofeach recommended remediation solution in the plurality of recommendedremediation solutions and an estimated efficacy of each recommendedremediation solution in the plurality of recommended remediationsolutions. Other constraints might include, for example, a minimumrating that has been provided by other users; each remediation solutionmay be associated with a rating score, made up of at least one rating ofone or more other users.

The step of executing, on a processing platform coupled to the API andservice platform, at least one controls evaluation step may includetransmitting data from the API and service platform to the processingplatform via a hypertext transfer protocol secure (HTTPS)representational state transfer (REST) API.

An example of unstructured data that may be fed into the system may be,for example, an image (such as JPG, PDF, PNG, etc.) of a password policyor an image of a password creation screen.

In the above-described method, many of the steps may be performedsimultaneously or contemporaneously, such that part of a preceding stepcontinues after a following step is executed. For example, in anexemplary embodiment, a step of providing the data output to the API andservices platform based on the set of client data may be performedcontemporaneously with the step of synchronizing the connectorconfiguration between the connector and the stored configuration, suchthat the step of providing the data output to the API and servicesplatform based on the set of client data is initiated during asynchronization process after the synchronization process hassynchronized run-time settings. In another example, each of the steps ofcollecting, from the data source and via the connector, the set ofclient data, and providing the data output to the API and servicesplatform based on the set of client data, may be performedcontemporaneously, with a first set of data is output to the API andservices platform prior to an end to a step of collecting the set ofclient data.

The step of generating and updating the first dashboard may includecomparison to some external standard, and may include, for example,retrieving at least one of an industry standard, a similar-sized companystandard, and a similar-complexity company standard, and generating theplurality of graphical displays based on the at least one of theindustry standard, the similar-sized company standard, and thesimilar-complexity company standard. Any or all of the above mayfunction as references for the purposes of comparison on an executivesummary dashboard. Likewise, a past data record for the company or aforecast for the company may be used, alone or in combination with anyof the above.

Providing a data output to an API and services platform based on the setof client data may make use of a message buffer, and as such thisprocess may involve incorporating the data output into a message buffer,and then, with the API and services platform, consuming the messagebuffer prior to storage of the data output.

Manual uploading of data, such as CSV files, may also be contemplated,and as such the method may further include steps of receiving, via theuser interface, a submission of at least one data file; determining,based on one or more connectors including the connector, a matchingconnector in the one or more connectors (which may enable the file to beassociated with an appropriate connector based on whatever informationis available, such as a file extension name if the file is associatedonly with one type of program output, or other identifying informationif the file is in a common format like a text file or CSV file); andautomatically assigning the matching connector to the at least one datafile, and uploading the at least one data file via the matchingconnector.

As noted, it may be contemplated to specify certain information for aconnector and sync that information across all instances of theconnector that are used by multiple instances of the program, ifdesired. Edits may be made to a connector type; for example, the methodmay include steps of, via the user interface, selecting the connectortype, and performing, via the user interface, an edit to the connectortype; and storing the edit to the connector type as the storedconfiguration in the automated platform prior to the step of creating,via the user interface, the connector having the connector type.

It may be contemplated that an advantage of the present system may bethat multiple audit sources may be combinable into one lensautomatically, such that, for example, three different systems may betested for the same audit control, and then a combined set of resultsmay be displayed. For example, according to an exemplary embodiment, aset of uploaded client data may include data corresponding to aplurality of client systems. The step of executing the at least onecontrols evaluation step may include determining an audit control to beexecuted, executing the audit control on the data corresponding to eachof the plurality of client systems, and obtaining an audit controlresult for each of the plurality of client systems. The step ofgenerating and updating the plurality of dashboards based on the resultmay include steps of simultaneously displaying each of the audit controlresults for each of the plurality of client systems.

The system may be multi-tenanted, and as such it may be contemplated tohave the method include simultaneously executing a plurality ofinformation technology audits, each of the plurality of informationtechnology audits being operated in multi-tenanted form on the automatedplatform.

It may be contemplated to include multi-factor authentication anddifferent levels of access from different users or administrators, andit may be contemplated to, for example, have the user authenticate bycombining a credential code with a level of access code. The method mayfurther include the steps of determining, via a multi-factorauthentication step, a right of access of the user and a level of accessof the user; and limiting the set of client data based on the level ofaccess of the user.

It may also be contemplated to combine user profiles with aseparately-managed organizational hierarchy by the use of a codeexchange. For example, the set of client data may further includeorganizational hierarchy information, which may or may not be providedin full to the system. A user profile may be provided in the set ofclient data and may be identified. A unique code associated with theuser profile may be transmitted, and the user linked to theorganizational hierarchy via the code.

BRIEF DESCRIPTION OF THE FIGURES

Advantages of embodiments of the present invention will be apparent fromthe following detailed description of the exemplary embodiments thereof,which description should be considered in conjunction with theaccompanying drawings in which like numerals indicate like elements, inwhich:

FIG. 1 depicts a flow chart showing the architecture of the platformwhich illustrates an exemplary method of operating;

FIG. 2 depicts a further flow chart showing an architecture of anexemplary embodiment of a connector;

FIG. 3 provides a comparison between an exemplary platform as providedherein and existing competitor solutions;

FIG. 4 shows an exemplary embodiment of a user interface of theplatform, which specifically depicts a set of IT audit or IT auditservices that may be consumed from an online marketplace;

FIG. 5 depicts another exemplary embodiment of a user interface of theplatform showing the connectors which can be viewed and managed;

FIG. 6 depicts an exemplary embodiment of a web user interface formanual submission of evidence to be tested and analyzed;

FIG. 7A depicts another exemplary embodiment of a user interface of theplatform showing the dashboards for reporting;

FIG. 7B depicts another exemplary embodiment of a user interface of theplatform showing the dashboards for reporting, which may be linked tothe user interface shown in FIG. 7A in a combined user interface;

FIG. 8 depicts another exemplary embodiment of a user interface of theplatform showing remediation recommendations, risk ratings, and alertsfor companies which form part of a group of companies;

FIG. 9 depicts another exemplary embodiment of a user interface of theplatform showing platform insights relating to assets and security.

FIG. 10 depicts an exemplary process flow diagram for a recommendationgeneration function; and

FIG. 11 depicts an exemplary process flow diagram for a typical auditprocess that may be performed without the use of the present platform,such as might be understood in the prior art.

DETAILED DESCRIPTION

Aspects of the invention are disclosed in the following description andrelated drawings directed to specific embodiments of the invention.Alternate embodiments may be devised without departing from the spiritor the scope of the invention. Additionally, well-known elements ofexemplary embodiments of the invention will not be described in detailor will be omitted so as not to obscure the relevant details of theinvention. Further, to facilitate an understanding of the descriptiondiscussion of several terms used herein follows.

As used herein, the word “exemplary” means “serving as an example,instance or illustration.” The embodiments described herein are notlimiting, but rather are exemplary only. It should be understood thatthe described embodiments are not necessarily to be construed aspreferred or advantageous over other embodiments. Moreover, the terms“embodiments of the invention”, “embodiments” or “invention” do notrequire that all embodiments of the invention include the discussedfeature, advantage or mode of operation.

Further, many embodiments are described in terms of sequences of actionsto be performed by, for example, elements of a computing device. It willbe recognized that various actions described herein can be performed byspecific circuits (e.g., application specific integrated circuits(ASICs)), by program instructions being executed by one or moreprocessors, or by a combination of both. Additionally, these sequencesof actions described herein can be considered to be embodied entirelywithin any form of computer readable storage medium having storedtherein a corresponding set of computer instructions that upon executionwould cause an associated processor to perform the functionalitydescribed herein. Thus, the various aspects of the invention may beembodied in a number of different forms, all of which have beencontemplated to be within the scope of the claimed subject matter. Inaddition, for each of the embodiments described herein, thecorresponding form of any such embodiments may be described herein as,for example, “logic configured to” perform the described action.

According to an exemplary embodiment, and referring generally to theFigures, various exemplary implementations of a platform forfacilitating an IT audit may be disclosed.

Turning now to exemplary FIG. 1, FIG. 1 displays an exemplary flow chartshowing the architecture of an exemplary embodiment of the platform,which illustrates an exemplary method by which the platform may operate.The platform may generally be divided into a connector portion 102,which may govern the integration of data from other software tools andplatforms into the platform; an API and services platform 103, whichgoverns the access and authentication of users to APIs and services,data routing and transaction monitoring; a platform portion 104, whichmay handle the requisite processing performed by the platform; and a webUI portion 106, which may display the results to the user.

Looking first at the connector portion 102, source data 108 may be fedinto one of a plurality of connectors 102, which may be used totranslate the data into an appropriate form. Various connectors 102 maybe contemplated for different types of source data, each connector inthe set of connectors 102 corresponding to one specific type of data.

According to an exemplary embodiment, the data incorporated into theconnector framework 102 may be structured or may be unstructured, or acombination of either, such as may be desired. In an exemplaryembodiment, the collection of data through the connectors may beautomated, such that the platform may be configured to interpret a dataset, determine what connector would be appropriate for the data set inquestion, and upload the data via the appropriate connector. (This maybe based on, for example, recognizing electronic data as being theoutput of a particular program based on its filetype or based onidentifiers in the data, and selecting the connector corresponding tothat program.)

According to an exemplary embodiment, a connector framework 102, or anyother part of a connector structure 102, may be secured based on aunique login or unique set of credentials by an administrator, such asan administrator of a registered organization. In an exemplaryembodiment, these credentials may be created at setup and storedlocally, being retained in the client environment in an encryptedformat, along with any other setup or network credentials. This mayensure that control over the platform is retained by the clientadministrator.

According to an exemplary embodiment, each of the connectors in theconnector framework 102 may connect to a platform 104 through an API andservices platform 103 and HTTPS REST API interface 112 or other APIinterface, with this platform including a backend, analysis, and datastorage, such as may be desired. (In an exemplary embodiment, theplatform 104 may be a cloud-based platform, with each of the backend120, the analysis features 118, and the data storage features such as,for example big data cloud storage 115, customer specific buckets andprojects 116 and standard databases 117 being provided as services orcreated as custom services. This may allow for certain advantages, suchas the use of platform security services, to be realized. For example,in an exemplary embodiment, the use of the platform 104 to provide allof the underlying infrastructure may ensure that the service is operatedwholly by a trusted party and can be installed by an outside ITorganization without the IT organization having any underlying access tothe data. In other exemplary embodiments, another cloud-based system, alocal system, or a hybrid system may be contemplated.) In an exemplaryembodiment, this interface 112, operating in concert with the API andservices platform 103, may use certificates to encrypt the trafficbetween the connector framework 102 and the platform 104.

According to an exemplary embodiment, the platform 104 may include abackend. The configuration of the platform 104 and any other componentsof the system may be managed in the backend 120. The platform may alsoprovide data analysis 118 and data storage 116 as well as dataprocessing 114. In particular, data may be received from the HTTPS RESTAPI interface 112 by a data processing component 114, with connectorfeedback also being passed along with the data. The output of the dataprocessing component 114 may then be stored in data storage 116, anddata analysis may then be conducted on the stored data in the datastorage component 116 once all data has been appropriately processed,formatted, and stored. (The output of the data analysis component 118may also be stored in the data storage component 116.)

The output of the data analysis component 118 may also be provided tothe backend 120 as part of a configuration step, as part of an overallprocess of managing the configuration in the backend. This may include,for example, access configuration, a step which may be performed in thebackend 120 in order to provide configuration of core functions of aplatform, information output (such as information that may be extractedvia the connectors), and user administration. The functions of thebackend 120 may thereby also control how the data analysis 118 step isperformed.

The data storage component 116 and the backend component 120 may each beaccessed by another API interface, such as another HTTPS REST APIinterface 122. According to an exemplary embodiment, this HTTPS REST APIinterface 112 may be accessed by the API interface 132 of the API andservices platform 103, or another web user interface 106, through whichthe user may also upload data. According to an exemplary embodiment,access to this HTTPS REST API interface 112 via the UI 106 and APIinterface 132 may be secured using multifactor authentication, which maybe handled by the backend 120 or by any other component of the platform,such as may be desired. (For example, in an exemplary embodiment, thebackend 120 may be configured to generate and send email messages ortext messages to a designated email address or phone number of the userin order to verify that the user has access to their email address orphone, ensuring that the user is more likely to have been properlyidentified.) In an exemplary embodiment, the HTTPS REST API interface112 and API interface 132 may make use of certificates and session keysto encrypt traffic, such as may be desired.

This UI may allow for the manual submission of data in any compatibleform, such as in the form of documents or sets of documents 124,printscreens 126, list 128, and any other data such as may be desired.As such, this may allow for such data or evidence to be manuallycollected by a user and submitted by the user himself 130. Manualsubmission is facilitated through the HTTPS web portal 106, which asmentioned may connect to the platform via the HTTPS REST API interface112 and API interface 132. According to an exemplary embodiment,multi-factor authentication may be used in order to secure the uploadinterface, such that a secure login with multi-factor authentication maybe required by the user in order to submit and view data. In anexemplary embodiment, password security may be handled by the backendsystem, which may natively validate authentication such as may berequired. In an exemplary embodiment, any other hashed password systemor any other password system where passwords are not stored in plaintext may be contemplated. In an exemplary embodiment, other elements ofthe login process may be linked to an external platform, such that, forexample, the platform manages an active instance of the program uponlogin. For example, the platform may be updated on a regular schedule,with the updates creating a new instance of the program which may bepushed to users. Upon logging in, the platform may automatically migratethe users to the new branch.

The connectors 102, web UI 106, and platform 104, put together, may formthe system for facilitating an automated IT audit, with the platform 104being configured to interface with the web UI 106 and retrieve data viathe connectors 102.

In an exemplary embodiment, the system may be implemented according to amultitenancy approach, whereby multiple independent instances of thesystem for facilitating an automated IT audit may be run simultaneouslyin a shared environment, such as a central server or set of cloudservers. This may ensure that multiple audits can be performed at once,by separate organizations or even by separate audit teams that do notnecessarily wish to directly disclose information to one another.

It may also be contemplated to have individual components of theplatform be relatively isolated from one another, such that certaincomponents are “ring-fenced” from one another, or such that certaincomponents are multitenanted within the same environment. In anexemplary embodiment, the platform may be modular and as such eachcomponent may be updated individually, such that multitenanted instancescan be customized to the user's needs, such as may be desired. Forexample, in an exemplary embodiment, the individual connectors 102 usedby the platform may be specified individually by the user, and as suchthe individual connectors 102 may be updated separately. According to anexemplary embodiment of the system, each of the connectors 102 may bemanaged through an on-premise installer operated by the platform thatrequires updates from time to time, and which may in some exemplaryembodiments be provided with updates on the same schedule as theremainder of the platform. For example, according to an exemplaryembodiment, a notification may be provided to a user regarding one ofthe connectors 102 being eligible for an update. The user may thendownload an installation binary, install the updated connector, andreplace the outdated one. In an exemplary embodiment, the platform mayrestrict the use of outdated connectors 102 or connectors 102 that are acertain number of updates behind, ensuring that data collected by theconnector cannot be uploaded until the connector 102 has been updated.The use of a cloud system for a substantial portion of the backend ofthe contemplated platform may ease other update processes, and in anexemplary embodiment updates may be made to the cloud software as soonas they become available.

Looking first at the source data components 108, according to anexemplary embodiment, the connectors 102 that may be used to integratethe source data 108 may be a combination of local or “on-premise”connectors, or connectors located in the cloud. In an exemplaryembodiment, some or all of the connectors 102 may be virtualized viacontainers or through services, though other implementations are ofcourse possible.

According to an exemplary embodiment, the connectors 102 may beintegrated with the data storage components 116 of the platform throughthe use of the API and service platform 103 and Rest API interface 112,or any other message integrator 112, such as may be desired. the API andservice platform 103 and Rest API interface 112 is a softwareapplication that may be used to link the outputs and inputs of manyother software applications, in many-to-one, one-to-many, ormany-to-many fashion. In the API and service platform 103 and Rest APIinterface 112, a publisher application, or plurality of publisherapplications, may create and send messages to a “topic,” which may bemanaged by the API and service platform 103 and Rest API interface 112program. Subscriber applications may then create a “subscription” to thetopic in order to receive messages from it. In a “one-to-many” use ofthe application, communications may be directed such that the directoutput of the publisher application may be the “topic,” which may be“fanned out” to each of the subscriber applications. Likewise, in a“many-to-one” use of the application, communications may be directedsuch that the publisher applications may each output to different APIsubscription (or to the same API subscription, if desired) and asubscriber application may subscribe to each of them, “fanning in” thedata instead of fanning it out. A “many-to-many” use of the applicationmay essentially be a combination of the two.

To provide an example of how “fanning in” and “fanning out” may eachwork in this framework, in a “fanning in” case where multiple publisherspublish to different API subscriptions which are each subscribed to bythe same user, a first publisher P1 and a second publisher P2 mayprovide, respectively, a first message M1 and a second message M2. Thefirst message may be interpreted by the API and service platform 103 andRest API interface 112 application as being associated with a APIsubscription of the first publisher P1, which may be topic A. The secondmessage may be interpreted by the API and service platform 103 and RestAPI interface 112 application as being associated with a APIsubscription of the second publisher P2, which may be API subscriptionB. A subscriber X may be subscribed to API subscriptions A and B, and,as a result of the publishers' postings, a message for subscription XAand subscription XB may be generated and sent to the subscriber X. In a“fanning out” case, by contrast, only one API subscriptions C may becreated from a message M3 of publisher P3, and this API subscriptionsmay be used to generate messages for the subscription YC of subscriber Yand the subscription ZC of subscriber Z.

The API and services platform 103 may include a messaging frameworkconfigured to receive a message associated with a particular publisherapplication, which may be assigned to the API of that publisher. (Eachmessage may include, for example, a message payload and optionalattributes that describe the message's content.) Upon being routedthrough an API subscription, the data from the message may then bestored in a message store, until delivered and acknowledged by theplatform 104. The messages pertaining to the API subscription may besent to all services linked to that API subscription, the API Interface112. The subscriber may then receive these messages and send anacknowledgment, which may, when received, remove the message from theplatform's queue of messages.

The platform may then pass these messages to subscriber programs, whichmay perform, for example, the data storage 116 functions of theinvention. According to an exemplary embodiment, messages may be passedfrom the rest API interface 112 to the platform 104 for testing andanalysis.

According to an exemplary embodiment, a test and analysis system mayinclude the backend 120 processing, application of machine learning 110,data analysis 118 and data storage 115 and 117. In an exemplaryembodiment, a clustering system 117 may be implemented which may beconfigured to perform clustering or cluster analysis. In an exemplaryembodiment, a data warehouse 115 for big data analysis may be configuredto analyze and store the data.

In an exemplary embodiment, a backend system 120 may include a cloudintegration system, including, for example, a Web framework. The cloudintegration system may further include a database system 117, which mayin some exemplary embodiments be maintained via a fully-managed databaseservice which enables users to set up, maintain, manage, and administerrelational databases that make use of rational database services. Thecloud integration system may further include cloud storage 116. Thecloud integration system may further include configuration details,which may be managed in the backend and used to control the API andservice platform 103.

According to an exemplary embodiment, the testing and analyzing system113 and the backend system 120 may receive and store the results of dataanalysis from the analysis components 118 and machine learning services110. In an exemplary embodiment, the testing and analyzing system 113and the backend system 120 may each receive the results of differentanalysis components 118 and machine learning services 114. For example,according to an exemplary embodiment, the testing and analyzing system113 may be connected to cloud service for running server clusters, whichmay be used in order to operate the clustering system or performnecessary tasks. This system may allow clusters to be created on demandwhereby instead of instantiating a cluster and then assigning jobs toit, users may submit jobs and have the clusters tailored to fit. Thisprovides for more efficient operation overall for most applications,with a small “boot-up tax” of around a minute as the job is submittedand the cluster is created. The backend system 120, on the other hand,may receive the results of jobs which may containerize the elements of ajob queue. In an exemplary embodiment, the job queue may be maintainedin compute 114. The backend system may further be connected to a dataupload systems, such as a machine learning 110 system, which may allowphysical documents to be scanned, deciphered, and uploaded to theplatform 104 as intelligible data.

The platform 104 may then be connected to a frontend 106 via the APIinterface 112, which may provide a user interface that allows for userinteraction with the platform and system, and may allow for manualuploading of data.

In an exemplary embodiment, the overall platform may provide machinelearning services 110, which may be facilitated by a cloud machinelearning API, vision API, speech API, translation API and naturallanguage API, and which may be implemented in the platform 104 or thetesting and analyzing system 118. The machine learning services 110 mayalso be made available through the API and services platform 103 as askill 101 to be used in evaluations 100.

Turning now to exemplary FIG. 2, FIG. 2 provides an exemplary embodimentof a data collection mechanism implemented using a connector 200, whichmay be implemented as one or more of the connector services 102previously described with regard to FIG. 1. According to an exemplaryembodiment, such a data collection mechanism implemented using aconnector 200 may function as follows. In a first step, the connectormay be created 202, and may be appropriately configured, based on datainput from the frontend of the platform, such as a web user interfaceproviding a connector configuration and creation page that allows thecapturing of specific setup details. This configuration may then be sentto the backend 204, and may be stored in a datastore 206, which may, forexample, be cloud storage.

Once this takes place, or at any other point in the process, theconnector may be set up 208, which may include, for example, installingan executable downloaded from the configuration and creation page, orwhich has otherwise been obtained. (For example, it may be contemplatedto have some or all connectors be configured in an original state of theprogram, or may be contemplated to have users create new connectorsbased on provided configurations, such as may be desired. As such, itmay be contemplated to have a connector be set up immediately after acreation step 202 and prior to a separate configuration step, or may,for example, be contemplated to have a connector be set up with a givenconfiguration.)

The connector may then be configured using unique credentials 208 inorder to enable the connector to authenticate with the platform backend.Once the connector is set up 208 with the appropriate credentials, thecredentials may be authenticated via the backend 210, by sending them tothe backend for verification 212, which may then determine validity. Ifthe credentials are not valid, the process may be terminated 214, suchas with an error. Optionally, the platform may be configured to takeadditional action in such a situation, and may, for example, provide auser output regarding the nature of the error in verification if anyuser output can be provided. (For example, it may be contemplated thatan attempt to pair a connector with a data source may fail because of animproper username, such as a typographical error being provided in theusername. The data source may then report that the username does notexist, and this may be passed along to the frontend. It mayalternatively be contemplated that further verification of credentialsis required than what may be possible for the backend to execute; forexample, it may be the case that any access attempt requires two-factorauthentication or other authorization, and this may have to beseparately performed in order to properly configure the connector.)

If the backend verifies the credentials 212, the platform may retrieve aconfiguration 216, which may involve getting appropriate configurationinformation from the backend, which may ultimately be retrieved from thedatastore 218. This configuration data that may be retrieved from thedatastore 218 may be, for example, stored configuration data provided inan earlier step 206, such as user-specified configuration data stored asa result of the user creating the connector and inputting configurationinformation on the frontend 202. This retrieved configurationinformation 218 may then be passed from the datastore, to the backend,and finally to the connector. In an exemplary embodiment, the connectormay function to synchronize configurations between the cloud-basedbackend and the connector, which may be on-premise or may becloud-based. This may ensure that the latest configurations areconsistently applied to the connector.

In an exemplary embodiment, a connector 200 may be configured to scanthe local environment to retrieve data or may be configured to retrievedata from a particular API or other program. In an exemplary embodiment,such activity may be configured to occur at a predetermined time or at apredetermined frequency. For example, in an exemplary embodiment, thismay be performed as soon as the run-time configuration settings arereached and retrieved, which may be a trigger for the connector toconnect to the data source and retrieve data. In another exemplaryembodiment, such activity may be configured to be performed oncetriggered by the user. It also may be contemplated to combine elementsof each, if desired; for example, certain data may be automaticallyfetched and cached when convenient, and may be referenced when a usertriggers a scan, while other data may be retrieved as part of the scan,if desired. In an exemplary embodiment, the streaming to the platformmay begin as soon as data is collected and may be terminated with thecompletion of the connector by an end message.

According to an exemplary embodiment, once configuration information isretrieved and it is determined what information should be scanned for,it may be determined whether or not it is an appropriate time to performa scan. If it is not an appropriate time to perform a scan, the platformmay then return to the previous step and await any changes inconfiguration 216. If it is an appropriate time to perform a scan, theplatform may then connect to the destination with which the connector isassociated, and may then retrieve data 220. Data may then be shipped.The platform may then determine whether further scans need to beconducted.

In an exemplary embodiment, once data is authorized and shipped from theconnector, data may be received at the message buffer. The backend maythen retrieve and consume the data in the buffer and store the data 222as connector data 224 in the datastore. This data may then be used inother platform operations, such as may be desired.

Turning now to exemplary FIG. 3, FIG. 3 provides a comparison 300between an exemplary platform as provided herein 314 and existingcompetitor solutions 312, for the purpose of illustrating certainadvantages presented by the exemplary platform. As noted herein, theexisting tools in the market are not configured to carry out IT auditsend-to-end and do not provide an audit opinion of the environmentagainst industry and best practice standards. In terms of whatintelligence is offered 302, existing tools 312 may simply provide datafor analysis, while the present platform 314 may also opine on any datathat it may assemble, and may use it as the basis for generatingrecommendations. In terms of workflow management 304, existing systems312 may be limited to facilitating the work flow of audit evidence,while the present platform 314 may also perform an audit evaluation onthe audit evidence, using cognitive automation and robotic processing.In terms of acting as a document repository 306, existing systems 312may facilitate the storage of audit evidence that has been collected,while the present platform 314 may also perform audit evaluations on thestored audit evidence. In terms of acting as an audit tool 308, existingsystems 312 may perform limited audit evaluations in highly specificinstances, whereas the present platform 314 may perform a fullyintegrated (“cradle-to-grave”) and automated IT audit function acrossthe IT environment. In terms of acting as an IT monitoring tool 310,existing systems 312 may provide specific tools that are specific toindividual systems, whereas the present platform 314 may integrate thesetools in a useful fashion that allows their inputs to be translated intoa form usable by the present platform 314. As such, the present platform314 may not displace or replace existing investments into tools, andwill allow the outputs of these tools to be robustly interrogatedagainst audit evidence, and may further allow comparisons to be collatedand aggregated in order to provide a single view of the IT environmentthrough an audit lens.

Turning now to exemplary FIG. 4, FIG. 4 depicts an exemplary embodimentof a user interface of the system, which may specifically depict a setof IT audit or IT audit services that may be consumed from an onlinemarketplace. (Various exemplary embodiments of an online marketplacesystem may be envisioned and may be paired with the auditing platform indifferent ways. For example, it may be contemplated to have usersprovided with a “build-your-own audit” system in a first marketplace,and may be contemplated to have predefined “packages” including the mostcommon auditing tools in a second marketplace, including packages forcertain types of audit such as financial audits.) In the exemplaryembodiment of FIG. 4, the IT audit or IT audit services may be selectedfrom an online marketplace which allows for flexible and tailoredpurchasing and billing options. Such a system may be modular andscalable, in such a manner that it can be tailored to suit the needsand/or requirements of a company, group of companies and users. The ITaudit services provided by the platform may be consumed in modules andare tailored based on the risk profile of the group of companies.

For example, according to an exemplary embodiment, a user may be invitedby the interface to “Build your own audit.” In such a configuration, theuser may be able to select one or more modules that they would like toinclude as part of their audit, such as a “Comprehensive UserAdministration” module 402 (which may be associated with a certainnumber of controls or scans), as well as similar configurations for IToperations 404, and IT auditing 406. In some exemplary embodiments,certain tools may be necessary to the audit as a whole, and may beautomatically selected; for example, in an exemplary embodiment, anaudit may necessarily include a “Comprehensive User Administrationmodule” 402, which includes the complete suite of all controls and toolsthat will allow the platform to perform a user administration audit overthe users in the IT environment on a continuous basis. Such informationmay then be used in order to generate recommendations based on the otherselected modules 404, 406. For example, a IT operations audit 404 maygenerate recommendations based on a threat analysis of the ITenvironment, a cloud readiness module may generate recommendations basedon the storage locations of the user's data and the amount ofdigitization of the user's data; and the mobile device module maygenerate recommendations based on the compatibility of the user'ssystems with mobile devices. In some exemplary embodiments, users mayalso be able to select their own controls or a subset of the controls408 through a control display in order to generate custom modules, whichmay, for example, allow a user to audit their dormant user profiles,profiles for terminated employees, and any other controls that might bespecified. (For example, in the depicted exemplary embodiment, users maybe able to select a full set of controls in a first package 410 or asecond, more limited set of controls in a second package 408, with thefirst package being a more expensive comprehensive package and thesecond package being a less expensive demo package with lesserfunctionality. For example, a comprehensive package may be configured toautomatically execute some elements of a scan, such as by having up tosome number of systems automatically perform a scan every single day,and a limited package may not have these features or may otherwise notinclude certain controls or be limited in a number of scans that can bemade. In addition to these differences, users may also be able toselect, for example, a number of connectors that may be provided withthe package, a number of licenses of the software or a number of deviceson which it will be installed, and a number of users it may beapplicable to, such as may be desired. Similar options may be availablefor other types of controls other than user administration controls asprovided in the Comprehensive User Administration module 402, such asmay be desired.) Users may also be able to select a customized billingperiod, such as daily, weekly, monthly, and so forth, which may bespecified differently for each module. (In some exemplary embodiments,this may affect the activity of the platform; for example, in anexemplary embodiment, recommendations may be generated by the platformat the conclusion of each billing cycle.)

Turning now to exemplary FIG. 5, FIG. 5 depicts another exemplaryembodiment of a user interface of the platform 500 showing theconnectors which can be viewed and managed. As provided in FIG. 5, theconnectors 502 set up on the platform 500 may be listed and viewable onthe UI. For example, these connectors include connectors for MICROSOFTACTIVE DIRECTORY (indicated in this case to be a demo for that tool), anetwork scan connector, a connector for CANARY, a connector for SQL, anda connector for UNIX. These connectors 502 may provide a framework forintegrating, respectively, data provided by MICROSOFT's ACTIVE DIRECTORYsoftware (a directory service for WINDOWS domain networks which providesdomain management and other functionality), a user's network scan tool,the output of a user's CANARY tool (an intrusion detection devicedesigned to emulate a realistic network device and monitor accessattempts), information stored in a SQL database, and information storedin a UNIX device, such as a UNIX server. Other connectors may be madereadily available and may be retrieved as appropriate; for example, itmay be noted that several pages of other connectors are also provided inFIG. 5, which may be searchable and may be edited or downloaded asappropriate.

In an exemplary embodiment, any or all of the connectors 502 may beprovided with an ID 504, and may be designated as being of a particulartype 506, such as a type available through the cloud (such as aconnection to a website or a connection to a CANARY device), or a typewhich may be provided as operational executables which may be storedlocally, such as may be desired. This may be designated by anappropriate label, such as ACTIVE DIRECTORY OR UNIX, or otherwise, suchas may be desired. Connectors may be provided according to a particularschedule including a schedule start data 508 and a schedule end date 510for that connector (which may be, for example, a start and end date of abilling cycle for that connector, or otherwise may be a date range inwhich use of the connector may be enablable, such as may be desired),and may be listed as being active or inactive 512 when enabled ordisabled, such as may be desired. Connectors 502 may also be enabled ordisabled by a switch or other control mechanism 514, as desired, or maybe edited 516 if desired. (In an exemplary embodiment, edits made to aconnector 516 may be stored centrally, such that it may be updated onceand downloaded more than one time, if desired.) The platform may, forexample, be configured to operate in IT environments enabled virtuallythrough deployment of the connectors into the IT environment.

In an exemplary embodiment of the platform, it may be contemplated tohave new connectors 502 be added to the existing set, such as through an“add connector” functionality 518. For example, according to anexemplary embodiment, the platform may be connected to new connectors502 regularly, and the new connectors 502 may be deployed regularly.Exemplary embodiments of connectors 502 may be enabled virtually withlimited performance impact on any network or computer processing unit(CPU) of the IT environment. The simultaneous deployments of connectors502 is also accommodated. A variety of deployment mechanisms may beavailable for particular connectors 502, including existing supporteddeployment mechanisms provided through the system provider orself-developed deployment mechanisms performed entirely by the userthemselves. The connectors 502 may be configured to only collect datarelating to the IT environment based on the connectors 502 theadministrator selects, downloads and implements in conjunction with thedata being submitted manually by the user.

Turning now to exemplary FIG. 6, FIG. 6 depicts an exemplary embodimentof a web user interface 600, for manual submission of evidence to betested and analyzed. FIG. 6 specifically shows a data collectioninterface regarding the password configuration settings that may beenabled with respect to particular applications, such as MICROSOFTACTIVE DIRECTORY 602 or OTHER SYSTEM 604. For each application, a usermay be able to upload information relevant to the password configurationsettings, in a variety of formats, including, for example, a group orgroup name for the password configuration settings, a minimum passwordlength, a minimum password age, a maximum password age, and a requiredor allowed password complexity (such as whether the password requires aminimum number of alphanumeric characters, whether the password requiresa minimum number of other characters, whether the password has certainother limitations such as a maximum number of repeated characters orcharacter strings or a minimum number of differences between characters(such that the password cannot be “AAAAAAAAA1” or a similar characterstring), or any other such restrictions on the password such as may bedesired). Other features, like password history tracking, passwordlockout procedures such as a maximum number of login attempts, an idlesession expiry timer or expiry criteria, or other such applicablesettings may also be uploaded, such as may be desired. In variousexemplary embodiments, this information may be provided in anyapplicable form, such as in the form of a JPG or other image file, or inthe form of structured data such as a comma-separated values (CSV) file.(In the exemplary embodiment specifically shown in FIG. 6, it may becontemplated that a CSV file may be used to provide many of the relevantdata values. In an exemplary CSV file, the user can leave blank anysettings that are not enabled or which are not known, or can indicatethem with a specific placeholder data value, such as a zero. Other suchconfigurations may also be contemplated, such as using a zero toindicate “not present,” a one to indicate “present,” and leaving thesection blank to indicate “unknown.” In an exemplary embodiment, theplatform may then attempt to fit data into these blank placeholdersbased on, for example, scanned password policy documents such as thepassword configuration screen shown as a JPG in the example case.)

As shown, the platform may allow for multiple submission types ofevidence such as connector information, manual file uploads andunstructured data sources, amongst others. Evidence may be added on theUI once added, along with other identifying information, such as anidentity of the company agent that provided the information 606, a dateon which it was provided 608, and a date that it was uploaded to thesystem 610. Information may also be downloaded 612 or deleted 614, suchas may be desired.

Turning now to exemplary FIGS. 7A and 7B, FIGS. 7A and 7B togetherdepict another exemplary embodiment of a user interface of the systemshowing the dashboards for reporting 700. According to an exemplaryembodiment, dashboards including a board dashboard 702, an IT operationsdashboard 704, and an audit dashboard 706 may be provided.

As shown in exemplary FIGS. 7A and 7B, the platform may allow forreporting of results from the testing and analysis of data collected.The aggregation and/or consolation of complex and disparate datastructures may be managed using the platform. Dashboards, such asdashboards 702, 704, 706, may be provided with dashboard-type reportingwith drill-down capabilities. The reporting features of the platform mayequip different audiences with the relevant level of visibility into therisk, governance and security of the IT landscapes. These audiences mayrange from the board of a company or group of companies (or othermanagement personnel), who may be provided with a board dashboard 702showing an overall executive summary; the IT operations of the samegroup or groups, who may be provided with detailed statistics relevantto the IT operations of the company or companies via an IT OperationsDashboard 704; or the audit and risk committees, who may be shownauditing information on an Audit Dashboard 706 (including, for example,any non-technical audit information such as financial audit information,such as may be desired); amongst others. Other customized reports mayalso be created; for example, according to an exemplary embodiment, itmay be contemplated to have reports created based on free-text optionswhich may be specified by the user. The ability of the platform tomaintain multiple customized dashboards and report features to the usermay thereby provide a reporting feature of the platform that allows foruser centricity, meaning that the platform provides a single view of theuser, company or group, across the IT environment with associated risksand maturities.

To give examples of the data that may be shown in each dashboard 702,704, 706 or which may be shown in sections corresponding to Board, ITOperations, or Audit areas, as shown in exemplary FIG. 7B, it may becontemplated that a high-level overview shown in the board dashboard 702may provide a summary of control risks related to people (including alevel of control maturity, a level of risk associated with a currentcontrol level, and a number of controls to which the company iscurrently subscribed, herein abbreviated as “maturity,” “risk,” and“controls,” respectively), and similar displays for control risksrelated to processes and technology. Other categories may also becontemplated. It may also be contemplated to provide other data via thisinterface, such as, for example, comparable levels for other companiesor other industry participants (if such data is known), historicallevels which may be provided for purposes of comparison, forecastedfuture levels (including forecasted future levels if no action is takenor forecasted future levels if a certain control or set of controls issubscribed to), or any other such relevant information such as may bedesired. It may further be contemplated that, in an IT Operationsdashboard 704, information related to the day-to-day administration ofIT operations may be provided, such as a number of administrators, anumber of normal users and a number of users who have been disabled(such as employees on extended leave or who have left the company, orusers who it has otherwise been determined should not have access), aswell as information on the user profiles such as a number of userprofiles of new users or users requiring follow-up such as users notactive for a certain period of time or users who have been completelyinactive. Finally, it may be contemplated that, in an audit dashboard706, information related to the progress of the audit may be provided,such as a number of controls that have been reviewed and a number ofcontrols that have been tested. The results of the tests may likewise beshown.

Turning now to exemplary FIG. 8, FIG. 8 depicts another exemplaryembodiment of a user interface 800 of the platform, in this case showingremediation recommendations, risk ratings 804, and alerts 802 forcompanies which form part of a group of companies 806. Detailedsummaries of some or all of the companies in the group 806 may also beshown 808.

In an exemplary embodiment, the platform may facilitate remediation byproviding filtered alert mechanisms, global anomaly trending,predictions, detection and recommended responses. The remediationrecommendations may be customized to suit the user's needs, based oncriteria including measurable metrics, the best product fit for theuser, and benchmarking available to compare solutions to one another.The platform may be configured to alert or notify the user of currentrisk exposures or inefficiencies within the IT environment. The platformmay be configured to map the existing specifications of the user's ITenvironment to a proposed specification based on product cataloguesand/or rules and architecture intelligence.

According to an exemplary embodiment, the exemplary interface 800 mayspecifically show a portfolio overview for all received alerts 802 thatmight be applicable to a set of selected companies in the group 806. Forexample, the platform may show the set of received alerts 802 that havethe highest risk or highest priority in a preview screen, with the otherremaining alerts also being viewable upon selection of the “alerts” tabor a link in the “alerts” tab like a “view all” command. The receivedalerts may be summarized via their risk ratings 804, for example basedon the average risk rating of the received alerts, or a summary of therisk ratings of all alerts. The companies in the group 806 may also besummarized, based on, for example, whether the companies have newlyjoined, whether the companies have subscriptions expiring soon, whetherthe companies have been allocated to auditors/consultants or not, orwhether the company has been allocated to a particular consultant. Inthis case, three companies 808 are shown, each one being scored based onthe company's maturity, indicating a state of development of thecompany's IT infrastructure and policies, and based on the company'srisk, indicating a level of risk to the company's infrastructure. Eachone may be scored based on, for example, a number of findings (which mayeach provide an alert), a number of items of physical evidence or otherevidence that have been collected so far (such as, for example,information about a password policy), a number of controls that havebeen tested by the software so far, a number of control tests that havebeen received and reviewed by the consultant or auditor, and a scope oftesting that has been provided by the present platform (currently at 0%for each company).

Turning now to exemplary FIG. 9, FIG. 9 depicts another exemplaryembodiment of a user interface of the system showing platform insightsrelating to users and security 900. Looking specifically at FIG. 9, theplatform may be configured to provide a more detailed breakdown of datarelated to the IT Operations dashboard, such as a breakdown of securityissues by sources. According to an exemplary embodiment, an ITOperations dashboard may highlight a select set of most urgent actionitems for display on that dashboard, which in that case all had to dowith the active user profiles and specifically related to the users whohad not logged in for a given time period or who had never logged in.However, in the detail page for IT operations 900, further informationmay be shown, such as a list of all action items related to the network,a list of all action items related to the one or more websites that thecompany is operating, and a list of all action items related to theprograms that the company is using, like WORDPRESS, to administer thenetwork or one or more websites, or which otherwise may presentvulnerabilities. In an exemplary embodiment, each program that isanalyzed by the platform may include program-specific action items suchas theme vulnerabilities, plugin vulnerabilities, exposed files such asexposed readmes, or exposed users.

Turning now to exemplary FIG. 10, FIG. 10 depicts an exemplary processflow diagram for a recommendation generation function 1000. In a firststep, the platform may identify a security issue, using a testing andanalysis platform 1002. In a next step, the platform may identify thesize of the organization's IT environment, the risk appetite of theorganization, and the risk profile of the IT environment 1004, includinginformation regarding the estimated frequency of attacks, the estimatedtargets of attacks, the estimated severity of attacks and so forth. Suchinformation may be based on, for example, industry benchmarking, thehistory of the business, or other sources such as may be desired. Riskappetite information may be used to weigh risk profile information; forexample, if the organization assigns a low impact to attacks onavailability, remedial measures in this regard may be deprioritized evenif attacks on availability are likely. In a next step, the platform maydetermine the organization's remediation budget 1006. In a next step,the platform may determine the estimated prices and efficacy of variousremediation options 1008, which may be based on, for example, industrybenchmarking. The platform may then optimize the remediation optionsbased on the estimated cost of each option (such as a price of each tooland an estimated cost of implementation) and an estimated effect thateach option would have on the overall risk 1010. The platform may thengenerate and output recommendations for a user 1012.

Turning now to exemplary FIG. 11, FIG. 11 depicts an exemplary processflow diagram for a typical audit process 1100 that may be performedwithout the use of the present platform, such as might be understood inthe prior art, and which is provided to better contextualize theimprovements made by the present platform.

In a typical audit process 1100, a first phase may begin with a planningstep 1110 in which it is determined exactly what the audit objectivesare going to be. Two major documents are generally requested. First, anaudit charter is provided by the client 1112, detailing the purpose ofthe audit, and the management responsibility, authority andaccountability of the audit. For example, the mission, aims, goals, andobjectives of the audit may be specified, based on exactly what isdemanded by the client and what laws and professional standards are ineffect. In addition to the audit charter, a Letter of Representation1114 is also usually sought and obtained, usually for the purpose ofensuring that the audit is full and comprehensive, and that allinformation disclosed is accurate.

A second phase may be a risk assessment and process analysis step 1120,evaluating a level of risk that they currently face as a result of theirIT environment. While not all audits use a risk-based audit approach,risk-based audits typically are easily adapted toward an iterativeimprovement process, whereby a current level of risk may be evaluated,improvements may be made, and an effect on risk may be evaluated. Therisk assessment process in this step 1120 may also inform aspects of theaudit, such as an area or business function to be specifically targeted;the nature, extent and timing of audit procedures; and the amount ofresources to be allocated to an audit. (Audits of a system that is notexpected to be critical, for example, may be performed in such a manneras to minimize their impact.)

The second phase 1120 may include evaluation of inherent risk 1122,control risk 1124, and detection risk 1126. Inherent risk 1122 is thesusceptibility of an audit area to potentially significant error,individually or in combination with other errors, assuming that therewere no related internal controls for minimizing or eliminating theerror. (One example is “pressures on information systems managementwhich may predispose them to conceal or misstate information.”) Controlrisk 1124 is the risk that an error could occur in an audit area andwould not be prevented or detected and corrected on a timely basis bythe internal control system. (For example, the risk associated with acommon automated procedure malfunctioning may be low, while the riskassociated with a control that requires manual analysis of loggingsoftware may be high, owing to a high possibility of error beingassociated with that methodology.) Control risk 1124 may be low forsystems that can readily be identified, evaluated as effective, andtested and proved to be operating appropriately. Detection risk 1126 isthe risk that the auditor's procedures will not detect a potentiallysignificant error, based on the auditor's assessment of inherent andcontrol risk.

The third phase 1130 may include actually performing the audit,involving steps of providing supervision, gathering audit evidence, anddocumenting audit work. A first step in this process is often generatingcontrol objectives for information and related technology (COBIT) 1132,a set of best practices for IT management. Review may typically involveexamination and evaluation of planning and organization of informationresources; planning and acquisition of systems (and growth in currentsystems); operation and support of IS/IT facilities, operations,utilization and access; monitoring of the processes surrounding theinformation systems; the level of effectiveness, efficiency,confidentiality, integrity, availability, compliance and reliabilityassociated with the information held in the IS/IT systems; and the levelof utilization of IT resources available within the environment of theIS including people, the application systems of interface, technology,facilities and data. The process may also include application controlreview 1134, which will generally evaluate controls effectiveness andefficiency, application security, and whether the application performsas expected for each control.

All of this information may then be documented and reported 1140, oftenalong with recommendations for improvement. (This may then be the basisfor iterative improvement of the overall system.) A typical reportgenerally includes identification of an organization, intendedrecipients and any restrictions on circulation; detailed information onthe scope, objectives, period of coverage, nature, timing and the extendof the audit work; a set of findings, conclusions, recommendations andany reservations, qualifications and limitations on those findings; andaudit evidence, based on what was collected.

The foregoing description and accompanying figures illustrate theprinciples, preferred embodiments and modes of operation of theinvention. However, the invention should not be construed as beinglimited to the particular embodiments discussed above. Additionalvariations of the embodiments discussed above will be appreciated bythose skilled in the art (for example, features associated with certainconfigurations of the invention may instead be associated with any otherconfigurations of the invention, as desired).

Therefore, the above-described embodiments should be regarded asillustrative rather than restrictive. Accordingly, it should beappreciated that variations to those embodiments can be made by thoseskilled in the art without departing from the scope of the invention asdefined by the following claims.

1. A method for performing an information technology audit on a networkenvironment using an automated platform, wherein the method comprises:creating, via a user interface, a connector, said connector comprising asoftware tool governing integration of data from at least one othersoftware tool or platform into the automated platform, the connectorhaving a connector type, said connector type comprising a specific datatype; defining, via the user interface, a configuration for theconnector based on the connector type, and storing the configuration forthe connector as a stored connector configuration in the automatedplatform; assigning one or more credentials to the connector, andvalidating, with the automated platform, the credentials; following avalidation of the credentials, retrieving, from the automated platform,the stored configuration, and synchronizing a connector configurationbetween the connector and the stored connector configuration, whereinsynchronizing the connector configuration comprises determining whethera connector version implemented in the connector and a connector versionof the stored connector configuration are different, and, when theconnector version implemented in the connector and the connector versionof the stored connector configuration are different, updating at leastone of the connector version implemented in the connector and theconnector version of the stored connector configuration to a mostcurrent configuration; collecting, from a data source and via theconnector, a set of client data comprising both structured data andunstructured data, wherein structured data is of the specific data typefor the connector and unstructured data is not of the specific data typefor the connector, said client data comprising one or more technicalsecurity features implemented on the network environment, and providinga data output to an application programming interface (API) and servicesplatform based on the set of client data; identifying, in the set ofclient data, the unstructured data, wherein identifying the unstructureddata comprises matching the structured data to connectors in a pluralityof connectors based on one or more identifiers in the structured data,and determining unmatched data to be unstructured; executing, on the APIand services platform, at least one data interpretation step, the atleast one data interpretation step comprising passing the data output toat least one skills API, performing, with the at least one skills API,digital interpretation of unstructured data provided in the data output,and aggregating the structured data and interpreted unstructured datainto aggregated data; executing, on a processing platform coupled to theAPI and service platform, at least one controls evaluation step on theaggregated data, the at least one controls evaluation step comprisingdetermination of an audit control output based on a result of the atleast one data interpretation step, and further storing a result on theprocessing platform; generating and updating a plurality of dashboardsbased on the result, a first dashboard being a summary dashboardcomprising a plurality of graphical displays, each of the graphicaldisplays corresponding to one or more audit control results, and asecond dashboard being a monitoring dashboard comprising at least onecurrently actionable item identified by the processing platform; andgenerating and outputting at least one recommendation to the user forremediation of the at least one actionable item based on at least onecomparison of a remediation solution to an alternative solution by theprocessing platform.
 2. The method of claim 1, wherein the step ofgenerating and outputting the at least one recommendation comprises:selecting the remediation solution from a list of available remediationsolutions based on constraints provided by the user; conducting a firsttest of a network component with the remediation solution simulated asbeing in place; conducting a second test of a network component with thealternative solution simulated as being in place, and comparing a resultof the first test and a result of the second test.
 3. The method ofclaim 2, wherein the constraints provided by the user comprise aremediation budget, and wherein the method further comprises determininga price of the remediation solution and determining an estimatedefficacy of the remediation solution.
 4. The method of claim 3, whereinthe method further comprises optimizing a plurality of recommendedremediation solutions based on the price of each recommended remediationsolution in the plurality of recommended remediation solutions and anestimated efficacy of each recommended remediation solution in theplurality of recommended remediation solutions.
 5. The method of claim2, wherein the constraints provided by the user further comprise aminimum rating, and wherein each remediation solution is associated witha rating score, each rating score comprising at least one rating of oneor more other users.
 6. The method of claim 1, wherein the step ofexecuting, on a processing platform coupled to the API and serviceplatform, at least one controls evaluation step comprises transmittingdata from the API and service platform to the processing platform via ahypertext transfer protocol secure (HTTPS) representational statetransfer (REST) API.
 7. The method of claim 1, wherein the unstructureddata comprises at least one of: an image of a password policy or animage of a password creation screen.
 8. The method of claim 1, wherein astep of providing the data output to the API and services platform basedon the set of client data is performed contemporaneously with the stepof synchronizing the connector configuration between the connector andthe stored configuration, wherein the step of providing the data outputto the API and services platform based on the set of client data isinitiated during a synchronization process after the synchronizationprocess has synchronized run-time settings.
 9. The method of claim 1,wherein each of the steps of collecting, from the data source and viathe connector, the set of client data, and providing the data output tothe API and services platform based on the set of client data, areperformed contemporaneously, whereby a first set of data is output tothe API and services platform prior to an end to a step of collectingthe set of client data.
 10. The method of claim 1, wherein the step ofgenerating and updating the first dashboard further comprises:retrieving at least one of an industry standard, a similar-sized companystandard, and a similar-complexity company standard; and generating theplurality of graphical displays based on the at least one of theindustry standard, the similar-sized company standard, and thesimilar-complexity company standard.
 11. The method of claim 1, whereinthe step of generating and updating the first dashboard furthercomprises: retrieving at least one of a past data record for the companyand a forecast for the company; and generating the plurality ofgraphical displays based on the at least one of the past data record andthe forecast.
 12. The method of claim 1, wherein providing a data outputto an API and services platform based on the set of client data furthercomprises: incorporating the data output into a message buffer; and withthe API and services platform, consuming the message buffer prior tostorage of the data output.
 13. The method of claim 1, wherein themethod further comprises: receiving, via the user interface, asubmission of at least one data file; determining, based on one or moreconnectors including the connector, a matching connector in the one ormore connectors; and automatically assigning the matching connector tothe at least one data file, and uploading the at least one data file viathe matching connector.
 14. The method of claim 1, wherein the methodcomprises: via the user interface, selecting the connector type, andperforming, via the user interface, an edit to the connector type; andstoring the edit to the connector type as the stored configuration inthe automated platform prior to the step of creating, via the userinterface, the connector having the connector type.
 15. The method ofclaim 1, wherein the set of client data comprises data corresponding toa plurality of client systems; wherein the step of executing the atleast one controls evaluation step on the aggregated data comprisesdetermining an audit control to be executed, executing the audit controlon the data corresponding to each of the plurality of client systems,and obtaining an audit control result for each of the plurality ofclient systems; and wherein generating and updating the plurality ofdashboards based on the result comprises simultaneously displaying eachof the audit control results for each of the plurality of clientsystems.
 16. The method of claim 1, wherein the method further comprisessimultaneously executing a plurality of information technology audits,each of the plurality of information technology audits being operated inmulti-tenanted form on the automated platform.
 17. The method of claim1, wherein the method further comprises: determining, via a multi-factorauthentication step, a right of access of the user and a level of accessof the user; and limiting the set of client data based on the level ofaccess of the user.
 18. The method of claim 1, wherein the set of clientdata further comprises an organizational hierarchy, and wherein themethod further comprises: identifying, in the set of client data, a userprofile; transmitting, to an administrator of the organizationalhierarchy, a unique code associated with the user profile; and linkingthe user profile to the organizational hierarchy.
 19. A system forperforming elements of an information technology audit on a networkenvironment, the system comprising: a plurality of connectors, eachconnector comprising a software tool governing integration of data fromat least one other software tool or platform into the system, each ofthe connectors configured to retrieve data from a data source andprovide a data output; an automated platform comprising an applicationprogramming interface (API) and services platform and a processingplatform, the API and services platform configured to receive the dataoutput and connect to the processing platform via a hypertext transferprotocol secure (HTTPS) representational state transfer (REST) API, andthe processing platform configured to execute processing on dataprovided via the HTTPS REST API; and a user interface; wherein thesystem is configured to perform the steps of: receiving, via the userinterface, an instruction to create a connector having a connector type,said connector type comprising a specific data type, and receivinginstructions via the user interface providing a configuration for theconnector based on the connector type; storing the configuration for theconnector as a stored connector configuration in the automated platform,and adding the connector to the plurality of connectors; assigning oneor more credentials to the connector via the user interface, andvalidating, with the automated platform, the one or more credentials;after a validation of the credentials, retrieving, from the automatedplatform, the stored connector configuration, and synchronizing aconnector configuration between the connector and the stored connectorconfiguration, wherein synchronizing the connector configurationcomprises: determining whether a connector version implemented in theconnector and a connector version of the stored connector configurationare different, and, when the connector version implemented in theconnector and the connector version of the stored connectorconfiguration are different, updating at least one of the connectorversion implemented in the connector and the connector version of thestored connector configuration to a most current configuration;collecting, from the data source and via a connector in the plurality ofconnectors, a set of client data comprising both structured data andunstructured data, wherein structured data is of the specific data typefor the connector and unstructured data is not of the specific data typefor the connector, said client data comprising one or more technicalsecurity features implemented on the network environment, and providinga data output to the API and services platform based on the set ofclient data; identifying, in the set of client data, the unstructureddata, wherein identifying the unstructured data comprises matching thestructured data to connectors in a plurality of connectors based on oneor more identifiers in the structured data, and determining unmatcheddata to be unstructured; executing, on the API and services platform, atleast one data interpretation step, the at least one data interpretationstep comprising passing the data output to at least one skills API, andperforming, with the at least one skills API, digital interpretation ofunstructured data provided in the data output, and aggregating thestructured data and interpreted unstructured data into aggregated data;executing, on the processing platform, at least one controls evaluationstep on the aggregated data, the at least one controls evaluation stepcomprising determination of an audit control output based on a result ofthe at least one data interpretation step, and further storing a resulton the processing platform; generating and updating a plurality ofdashboards based on the result, a first dashboard being a summarydashboard comprising a plurality of graphical displays, each of thegraphical displays corresponding to one or more audit control results,and a second dashboard being a monitoring dashboard comprising at leastone currently actionable item identified by the processing platform, anddisplaying the plurality of dashboards on the user interface; andgenerating and outputting at least one recommendation for remediation ofthe at least one actionable item based on at least one comparison of aremediation solution to an alternative solution by the processingplatform, and providing the at least one recommendation to the userinterface.
 20. A non-transitory computer-readable medium comprisingcomputer program code that, when executed, causes a system comprising aplurality of connectors each configured to retrieve data from a datasource and provide a data output, an automated platform comprising anapplication programming interface (API) and services platform and aprocessing platform and configured to receive the data output andconnect to the processing platform via a hypertext transfer protocolsecure (HTTPS) representational state transfer (REST) API and executeprocessing on data provided via the HTTPS REST API, and a userinterface, to execute the steps of: receiving, via the user interface,an instruction to create a connector, said connector comprising asoftware tool governing integration of data from at least one othersoftware tool or platform into the automated platform, the connectorhaving a connector type, said connector type comprising a specific datatype, and receiving instructions via the user interface providing aconfiguration for the connector based on the connector type; storing theconfiguration for the connector as a stored connector configuration inthe automated platform, and adding the connector to the plurality ofconnectors; assigning one or more credentials to the connector via theuser interface, and validating, with the automated platform, the one ormore credentials; after a validation of the credentials, retrieving,from the automated platform, the stored configuration, and synchronizinga connector configuration between the connector and the stored connectorconfiguration, wherein synchronizing the connector configurationcomprises: determining whether a connector version implemented in theconnector and a connector version of the stored connector configurationare different, and, when the connector version implemented in theconnector and the connector version of the stored connectorconfiguration are different, updating at least one of the connectorversion implemented in the connector and the connector version of thestored connector configuration to a most current configuration;collecting, from the data source and via a connector in the plurality ofconnectors, a set of client data, comprising both structured data andunstructured data, wherein structured data is of the specific data typefor the connector and unstructured data is not of the specific data typefor the connector, said client data comprising one or more technicalsecurity features implemented on the network environment, and providinga data output to the API and services platform based on the set ofclient data; identifying, in the set of client data, the unstructureddata, wherein identifying the unstructured data comprises matching thestructured data to connectors in a plurality of connectors based on oneor more identifiers in the structured data, and determining unmatcheddata to be unstructured; executing, on the API and services platform, atleast one data interpretation step, the at least one data interpretationstep comprising passing the data output to at least one skills API,performing, with the at least one skills API, digital interpretation ofunstructured data provided in the data output, and aggregating thestructured data and interpreted unstructured data into aggregated data;executing, on the processing platform, at least one controls evaluationstep on the aggregated data, the at least one controls evaluation stepcomprising determination of an audit control output based on a result ofthe at least one data interpretation step, and further storing a resulton the processing platform; generating and updating a plurality ofdashboards based on the result, a first dashboard being a summarydashboard comprising a plurality of graphical displays, each of thegraphical displays corresponding to one or more audit control results,and a second dashboard being a monitoring dashboard comprising at leastone currently actionable item identified by the processing platform, anddisplaying the plurality of dashboards on the user interface; andgenerating and outputting at least one recommendation for remediation ofthe at least one actionable item based on at least one comparison of aremediation solution to an alternative solution by the processingplatform, and providing the at least one recommendation to the userinterface.